Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams

Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams

A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.

“Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia,” Infoblox said in a report published last week.

Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks.

CNAME record is used to map a domain or subdomain to another domain (i.e., an alias) instead of pointing to an IP address. One advantage with this approach is that when the IP address of the host changes, only the DNS A record for the root domain needs to be updated.

Savvy Seahorse leverages this technique to its advantage by registering several short-lived subdomains that share a CNAME record (and thus an IP address). These specific subdomains are created using a domain generation algorithm (DGA) and are associated with the primary campaign domain.

While threat actors like VexTrio have used DNS as a TDS, the discovery marks the first time CNAME records have been used for such purposes.

Victims who end up clicking the links embedded on Facebook ads are urged to provide their names, email addresses, and phone numbers, after which they are redirected to the bogus trading platform for adding funds to their wallets.

The development comes as Guardio Labs revealed that thousands of domains belonging to legitimate brands and institutions have been hijacked using a technique called CNAME takeover to propagate spam campaigns.