Threat Research

Beware the Shallow Waters: Savvy Seahorse Lures Victims to Fake Investment Platforms Through Facebook Ads

Infoblox

This article examines a novel technique employed by the Savvy Seahorse DNS threat actor to facilitate large-scale investment scams, primarily targeting individuals through fake platforms. The method involves using DNS CNAME records to create a traffic distribution system that helps avoid detection. The US Federal Trade Commission highlights the substantial financial losses from such scams, solidifying the seriousness of the issue. Affected: Investment sector, cybersecurity, victims.

Keypoints :

  • Savvy Seahorse uses DNS CNAME records to orchestrate complex financial scams.
  • Investment scams accounted for over USD .6 billion lost by victims in 2023, as reported by the US FTC.
  • The threat actor has been operating since at least August 2021.
  • Campaigns are served via Facebook ads and target various language speakers.
  • They utilize fake bots for user interaction, collecting personal information in exchange for investment opportunities.
  • New campaigns often use a phased deployment system and change IP addresses regularly to evade detection.
  • The techniques described have not been extensively reported prior to this study, highlighting a unique TTP.
  • Over 4.2k base domains with CNAME records associated with Savvy Seahorse have been identified.

MITRE Techniques :

  • Command and Control (T1071.001) – Utilizes DNS-based traffic distribution systems via CNAME records to manage and control campaigns.
  • Credential Dumping (T1003.001) – Collects sensitive information (e.g., email, phone numbers) from victims to facilitate further exploitation.
  • Phishing (T1566.001) – Engages users through fake investment platforms advertised on social media, prompting them to provide personal data.
  • Domain Generation Algorithm (DGA) (T1483) – Deploys domains and subdomains dynamically for each campaign, using pseudo-random names for evasion.
  • Upload/Download (T1105) – Implements infrastructure that can dynamically update malicious IPs and domains by changing CNAME records.

Indicator of Compromise :

  • [Domain] getyourapi[.]site
  • [Domain] land-nutra[.]b36cname[.]site
  • [Domain] prx[.]b36cname[.]site
  • [Domain] new[.]xsdelx[.]top
  • [Domain] ultra-vest[.]one

Full Story: https://blogs.infoblox.com/threat-intelligence/beware-the-shallow-waters-savvy-seahorse-lures-victims-to-fake-investment-platforms-through-facebook-ads/