[ad_1]
New report exposes culprit in online investment scam that cost Australians and New Zealanders billions of dollars
Infoblox releases first revealing report wise seahorse, the main perpetrator of online cybercrime investment fraud websites. This threat actor has been active since at least 2021, and its targeted victims include people in Australia and New Zealand (A/NZ).
Savvy Seahorse uses Facebook ads to lure victims and convince them to open an account, make a deposit, and invest in companies like Tesla and Meta. Once deposited, the cybercriminal organization transfers the funds to a Russian bank. Its tactics, techniques and procedures (TTPs) also include the ChatGPT bot and his WhatsApp bot, which imitates online web chats and prompts victims to inquire about investment platforms.
In Australia, the Australian Competition and Consumer Commission (ACCC) reported that almost half of the A$3.1 billion lost to fraud by Australians in 2022 was due to investment fraud. Meanwhile, in New Zealand, the government is warning of “out-of-the-box” conditions. The “Blue” investment scam was the main reason New Zealanders lost approximately NZ$200 million to fraud in the same year.
Savvy Seahorse targets Russian, Polish, Italian, German, Czech, Turkish, French and Spanish speakers, as well as Australians and New Zealanders, and by design, is unclear, but excludes traffic from Ukraine and a few other countries.
Infoblox said in a report that attackers used a specific type of Domain Name System (DNS) attack to map a website’s domain and imitate legitimate sites to imitate Internet users via a traffic distribution system (TDS). It details how to route to fraudulent websites. This is the first time a cloud and networking security company has taken this approach, and it was a key factor in keeping Savvy Seahorse under wraps for so long.
“Australia and New Zealand have high disposable income per capita and a lot of mom and dad investors looking to enter the market,” says Infoblox head of threat intelligence and former U.S. National Security Agency. said senior executive Renee Barton.
“Theaters like Savvy Seahorse see an opportunity in this, and with the advent of social media advertising, these cybercriminals have a cheap and easy way to show off their fraudulent websites to millions of people. It’s important to remember the old adage, “If it seems too good to be true…” We all need to be extra vigilant when investing funds or providing financial credentials through websites because we know that criminals are trying to steal money from everyone. there is. ”
Other findings and technical aspects of the report include:
- Savvy Seahorse uses dedicated hosting and changes IP addresses regularly.
- Individual campaigns are short-lived (each subdomain is promoted for 5-10 days).
- The attacker appears to be using a phased deployment system. This system changes your campaign domain’s canonical name (CNAME) (a type of DNS record) based on whether it is currently active or not.
- This uses a “wildcard DNS” entry that matches requests for domain names that don’t exist. This allows Savvy Seahorse to quickly create many independent campaigns, but it can confuse passive DNS (pDNS) analysis.
- The victim’s personal data is sent to a secondary HTTP-based TDS server, where the information is verified and geofencing is applied to exclude Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova.
- The second HTTP-based TDS also tracks users’ IP addresses and email addresses over time.
“Criminals use social engineering to deceive people. That’s their job, and they’re very good at it,” Burton added. “While people may be surprised to have their savings stolen, victims should not be shamed for having been duped. They are preying on the hope that we all have to get lucky in life.”
The full report is available here.
For editorial inquiries, please contact:
Editor Kym Bergmann (kym.bergmann@venturamedia.net)
For advertising inquiries:
Sales Director Graham Joss graham.joss@venturamedia.net
[ad_2]
Source link
