A newly discovered threat actor is running an investment scam through a cleverly designed traffic distribution system (TDS), which leverages the Domain Name System (DNS) to keep its malicious domains evolving and resistant to takedowns.
“Savvy Seahorse” impersonates major brands such as Meta and Tesla and, through Facebook ads in nine languages, lures victims into creating accounts on a fake investment platform. Once victims fund their accounts, the money is funneled into an account allegedly controlled by the attackers at a Russian state bank.
It is a common type of scam. According to the Federal Trade Commission (FTC)U.S. consumers reported losing $4.6 billion to investment scams in 2023 alone. That’s nearly half of the $10 billion reported lost to all forms of scams, making it the most most profitable around.
So what sets Savvy Seahorse apart from the rest is not the character of its stratagem but, rather, the infrastructure that supports it.
As highlighted in a new report from Infoblox, it operates a TDS with thousands of diverse and fluid domains. What holds the whole system together is a Canonical Name (CNAME) record, an otherwise bland property of DNS that it uses to ensure that, like the ship of Theseus, its TDS can continually create new and delete old domains without actually changing anything . on the campaign itself.
Enhanced TDS attacks via DNS
“We normally think of TDS as being in the HTTP world: a connection comes in, I guess your device, and based on your fingerprint, I could direct you to some malware or scam, or I could deny service,” explains Renée Burton, head of threat intelligence at Infoblox.
Indeed, in recent years entire cybercrime ecosystems have developed around HTTP-based TDS networks, such as the one managed by VexTrio. HTTP is preferred for all the metadata it allows attackers to acquire from victims: their browser, whether they are on mobile or desktop, and so on.
“For the most part we ignore TDS,” he continues, “and if we pay attention, we look at it in this narrow framework. But what we’ve discovered over the last two and a half years is that, in fact, there is a whole concept of distribution systems of traffic that actually only exist in DNS.”
Indeed, Savvy Seahorse is nothing new – it has been operational since at least August 2021 – nor is it entirely unique: other groups perform similar DNS-based traffic distribution, but none have been described in the security literature so far. So how does this strategy work?
How seahorse experts abuse CNAME
In this case, it all comes down to CNAME records.
In DNS, CNAME allows multiple domains to map to the same base (canonical) domain. For example, the base domain “darkreading.com” might have CNAME records for www.darkreading.com, darkreading.xyz, and many other subdomains. This basic function can help organize an otherwise large, unwieldy, and ever-changing group of domains owned by legitimate organizations and, evidently, also by cyber attackers.
As Burton explains, “What the CNAME record does for Savvy Seahorse, in particular, is it allows them to scale and move their operations very quickly. So, every time someone shuts down one of their phishing sites, which happens quite a bit frequently, many of them, all they have to do is move to a new one, they have mirrors [of the same content]essentially, everywhere, and they use the CNAME as a map to those mirrors.”
The same works for IPs: if someone were to try to shut down Savvy Seahorse’s hosting infrastructure, they can simply redirect their CNAME to a different address in an instant. This allows it to not only be resilient, but also evasive, advertising any of its subdomains for only five to ten days on average (probably because it’s so easy for them to swap them in and out).
CNAME also allows the threat actor to develop a more robust TDS from the start.
How CNAME changes the game for attackers and defenders
Attackers tend to register all their domains in bulk through a single registrar and use a single Internet Service Provider (ISP) to manage them all, simply to avoid having to juggle too many things at once. The downside (for them) is that this makes it easy for cyber defenders to discover all their domains, via common registration metadata.
Now consider Savvy Seahorse, which used no fewer than 30 domain registrars and 21 ISPs to host 4,200 domains. No matter how many registrars, ISPs or domains they use, they are ultimately all associated via CNAME to a single base domain: b36cname[.]place.
But here too there is a problem. An Achilles’ heel. CNAME is both Savvy Seahorse’s north star and its only point of failure.
“There are about 4,000 incorrect domain names, but there is only one incorrect CNAME,” Burton points out. Defending yourself from a group like Savvy Seahorse, therefore, can involve an incredibly tiring path, or a completely easy one. “All you have to do is block the one base domain [which the CNAME points to] and from a threat intelligence perspective, you can kill everything with one shot.”
There’s no rule that says attackers can’t create malicious networks using many CNAMEs, Burton explains, but “they mostly aggregate. Even in larger systems, we see them aggregate into a much smaller set of CNAMEs.”
“Why?” he asks, “Maybe because they don’t get caught.”