February 28, 2024 at 09:39AM
Savvy Seahorse uses CNAME DNS records to create a traffic distribution system for financial scam campaigns. Infoblox researchers uncovered this operation in August 2021, noting the use of chatbots to automate scamming and the abuse of DNS CNAME records to manage redirects and evade detection. The actor targets victims through multilingual investment scam promotions.
Based on the meeting notes, the following key takeaways can be identified:
1. Savvy Seahorse is utilizing DNS CNAME records as a Traffic Distribution System (TDS) for its financial scam campaigns, enabling them to manage changes and enhance detection evasion by using IP rotation.
2. This technique involves registering multiple subdomains with a common CNAME record, making it possible to rotate to new destinations when security software blocks a particular IP address or to prevent detection without altering the attack domain’s DNS settings.
3. Using domain generation algorithms (DGAs), Savvy Seahorse creates and manages thousands of domains utilized in the CNAME TDS system and uses wildcard DNS responses to change the status of these domains.
4. Savvy Seahorse spreads its infrastructure across multiple registrars and hosting providers to evade attribution and achieve operational resilience.
5. The threat actor promotes investment scams globally, with lures in multiple languages and uses chatbots to interact with victims, increasing the attack’s apparent legitimacy and playing a vital role in the social engineering aspect.
6. Meta Pixel trackers are also used for performance tracking, likely to refine tactics.
These takeaways highlight the sophisticated tactics employed by Savvy Seahorse and the global nature of their malicious activities. The use of multiple languages, chatbot impersonations, and diverse payment methods demonstrates the level of sophistication and coordination in their scams. It is clear that they have made extensive efforts to evade detection and attribution while targeting victims across different countries and regions.