March 5, 2024 at 06:45AM
Savvy Seahorse, a new DNS threat actor, uses sophisticated techniques to lure victims into fake investment platforms, targeting individuals from various countries. They use DNS records to create a traffic distribution system, making it difficult to detect and take down their phishing sites. Victims are tricked into providing personal information and making deposits, eventually having their funds transferred to a bank in Russia.
From the meeting notes, the key takeaways are:
1. A new DNS threat actor known as “Savvy Seahorse” is using sophisticated techniques to trick victims into investing in fake platforms and then allegedly transferring the funds to a bank in Russia.
2. The targets of these campaigns include individuals from various European countries, indicating a wide reach in their attacks.
3. The threat actors lure victims through social media ads and entice them into disclosing personal information in exchange for high-return investment opportunities.
4. The use of DNS canonical name (CNAME) records allows the threat actors to create a traffic distribution system (TDS) and evade detection since at least August 2021.
5. The threat actors utilize a domain generation algorithm (DGA) to create short-lived subdomains associated with the primary campaign domain, making it difficult to take down their infrastructure.
6. Victims who click on the links are prompted to provide personal information and then redirected to a fake trading platform to add funds to their wallets.
7. The threat actor excludes traffic from specific countries, though their reasoning for doing so is unclear.
8. Additionally, Guardio Labs has reported thousands of legitimate brand domains being hijacked using a technique called CNAME takeover to propagate spam campaigns.
These takeaways capture the important details and implications of the discussed cybercrime/malware activity.