Infoblox Reveals DNS Threat Actor in Major Financial Frauds
Infoblox Inc., a renowned leader in cloud networking and security services, today revealed its latest threat intelligence report. The report exposes Savvy Seahorse, a malicious DNS threat actor orchestrating online investment scams targeting victims worldwide, including Singapore.
Operating since at least 2021, Savvy Seahorse uses Facebook ads to lure in victims and convince them to open accounts, make deposits, and invest in companies including Tesla and Meta. Once deposited, the cybercriminal gang then transfers the funds to a bank in Russia. Its tactics, techniques, and procedures (TTPs) also include ChatGPT and WhatsApp bots imitating online webchats to encourage victims to inquire about investment platforms.
Scams and cybercrime continue to be a key concern in Singapore, despite continued reports and warnings by Singapore authorities. In the latest annual scams and cybercrime brief by the Singapore Police Force on 19 February, scam victims in Singapore lost S$651.8 million in 2023, with a record high of over 46,000 cases reported. Out of which, S$204.5 million was lost in 4,030 reported cases of investment scams. The brief also reported that scammers commonly reached out to victims through social media, and messaging platforms. Three products from Meta – Facebook, WhatsApp and Instagram, are flagged by the authorities to be of particular concern and continue to be over-represented amongst the platforms exploited by scammers.
In the threat intel report, titled “Beware the Shallow Waters: Savvy Seahorse Lures Victims to Fake Investment Platforms Through Facebook Ads”, Infoblox details how the threat actor uses a specific type of domain name system (DNS) attack to map website domains and route internet users via traffic distribution systems (TDS) to scam websites that often mimic legitimate sites. This is the first time the cloud and networking security company has seen this approach, which has been a key factor in Savvy Seahorse’s ability to remain hidden for so long.
Here’s a snapshot of how Savvy Seahorse does it:
-
Fake Investment Platforms: Just like a fake bank might try to get victims to deposit money with them, Savvy Seahorse lures users into fake investment platforms. These platforms might look real, but they’re just a front for their scam.
-
Personal Information: Once the victim is on their platform, they’ll ask for personal and financial information, i.e. identity number, and bank account details.
-
Changing Tactics: Savvy Seahorse is sneaky. They change their IP addresses (like changing their physical location) and create multiple subdomains (like opening up multiple fake bank branches) to avoid getting caught.
Other findings and technical aspects from the report include:
-
Savvy Seahorse uses dedicated hosting and changes its IP addresses regularly.
-
Individual campaigns are short-lived (each subdomain is advertised for five-to-10 days).
-
The threat actor appears to use a phased deployment system in which the Canonical Name (CNAME) – a type of DNS record – for a campaign domain will change based on whether it is currently active or not.
-
It uses ‘wildcard DNS’ entries, which match requests for non-existent domain names. This allows Savvy Seahorse to create a large number of independent campaigns quickly but can add confusion to passive DNS (pDNS) analysis.
-
Victims’ personal data is sent to a secondary HTTP-based TDS server to validate the information and apply geofencing to exclude Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova.
-
The second HTTP-based TDS also tracks user IP and email addresses over time.
The full report is available here.