February 28, 2024 at 09:07AM
A new threat actor executes an innovative investment scam through a sophisticated traffic distribution system (TDS), leveraging the DNS to sustain ever-changing malicious domains. The scam impersonates major brands, luring victims through multilingual Facebook ads. The TDS, supported by CNAME records, provides resilience and evasion against takedowns, posing a significant challenge for defenders.
Key takeaways from the meeting notes:
1. Savvy Seahorse is an advanced threat actor running an investment scam through a traffic distribution system (TDS) that takes advantage of the Domain Name System (DNS) to continuously create new and shed old domains without changing the campaign itself.
2. Savvy Seahorse impersonates major brand names like Meta and Tesla, luring victims into creating accounts on a fake investing platform through Facebook ads in nine languages.
3. The TDS operated by Savvy Seahorse uses thousands of varied and fluid domains with a Canonical Name (CNAME) record, allowing them to scale and move their operations quickly and evade detection. The base domain associated with the CNAME is b36cname[.]site.
4. CNAME records serve as the map to the mirrors of their phishing sites, allowing them to mirror the same content across multiple domains.
5. Savvy Seahorse has utilized over 30 domain registrars and 21 ISPs to host 4,200 domains, providing a resilient and evasive infrastructure.
6. However, the CNAME is Savvy Seahorse’s single point of failure, as blocking the one base domain it points to could effectively neutralize the entire malicious network.
7. Threat intelligence efforts can focus on identifying and blocking the base domain associated with the CNAME to disrupt Savvy Seahorse’s operations effectively.
These takeaways provide a clear understanding of the threat posed by Savvy Seahorse and the infrastructure supporting its malicious activities, emphasizing the importance of addressing the CNAME as a potential vulnerability to disrupt the attacker’s operations.