[ad_1]
A DNS attacker operating under the name Savvy Seahorse has been observed employing sophisticated tactics to lure victims to fake investment platforms and siphon funds into Russian bank accounts.
Savvy Seahorse uses Facebook ads to direct users to fraudulent websites masquerading as legitimate investment platforms, often impersonating well-known companies such as Tesla and Facebook/Meta.
According to Infoblox findings, what sets Savvy Seahorse apart is its sophisticated techniques, including the use of fake ChatGPT and WhatsApp bots. They automate interactions with users and lure them into divulging personal information in exchange for a high return on investment.
“These campaigns are known to target Russian, Polish, Italian, German, Czech, Turkish, French, Spanish and English speakers, but especially in Ukraine and other countries. potential victims in a small number of countries,” explained Infoblox researchers Stelios Chatzistogias, Laura da Rocha, and Darby Wise.
One particularly obscure technique used by Savvy Seahorse is the use of DNS canonical name (CNAME) records to establish a traffic distribution system (TDS) for financial fraud campaigns.
“As a result, Savvy Seahorse can control who can access its content and dynamically update IP addresses for malicious campaigns,” the researchers wrote.
“This technique of using CNAMEs allows attackers to evade detection by the security industry. To the best of our knowledge, this technique focuses on the use of CNAMEs as TDS designed for malicious purposes. This is the first report that
Read more about attacks using DNS-focused technologies: Roaming Mantis hacking campaign adds DNS changer to mobile apps
A study published Wednesday by Infoblox also sheds light on the ecology of the Savvy Seahorse. modus operandi, key findings include reliance on Facebook advertising, frequent IP address changes, and short campaign durations. Each subdomain will be advertised for 5 to 10 days.
“Savvy Seahorse has been in operation since August 2021. While participating domains may be flagged by security tools, the larger infrastructure and attackers behind them remain undetected by the security industry. ”, the report states.
Additionally, threat actors use wildcard DNS entries to quickly create independent campaigns, complicating passive DNS analysis.
[ad_2]
Source link
