Dubbed a new DNS threat actor Experienced seahorse is exploiting sophisticated techniques to lure targets into fake investment platforms and steal funds.
“The Seahorse expert is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfer those deposits to a bank in Russia,” Infoblox said in a report published on last week.
Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish and English speakers, indicating that threat actors are casting a wide net in their attacks.
Users are lured through ads on social media platforms such as Facebook, also tricking them into sharing their personal information in exchange for supposedly high-yielding investment opportunities through fake ChatGPT and WhatsApp bots.
Financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thus allowing threat actors to evade detection since at least August 2021.
A CNAME record is used to map a domain or subdomain to another domain (i.e. an alias) instead of pointing to an IP address. An advantage of this approach is that when the host’s IP address changes, only the DNS A record for the root domain needs to be updated.
The Seahorse expert uses this technique to his advantage by registering several short-lived subdomains that share a CNAME record (and therefore an IP address). These specific subdomains are created using a domain generation algorithm (DGA) and are associated with the main campaign domain.
The ever-changing nature of domains and IP addresses also makes the infrastructure resistant to takedown efforts, allowing threat actors to continuously create new domains or change their CNAME records to a different IP address as their sites phishing are stopped.
Although threat actors like VexTrio have used DNS as TDS, the discovery marks the first time CNAME records have been used for such purposes.
Victims who end up clicking links embedded in Facebook ads are asked to provide their names, email addresses and phone numbers, after which they are redirected to the fake trading platform to add funds to their wallets.
“An important detail to note is that the actor validates user information to exclude traffic from a predefined list of countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan and Moldova, although the reasoning for choosing of these specific countries is unclear,” Infoblox noted.
The development comes as Guardio Labs revealed that thousands of domains belonging to legitimate brands and institutions have been hijacked using a technique called CNAME takeover to propagate spam campaigns.