Investment Scams

A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.

"Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia," Infoblox said in a report published last week.

Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks.

Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots.


The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thereby allowing threat actors to evade detection since at least August 2021.

A CNAME record is used to map a domain or subdomain to another domain (i.e., an alias) instead of pointing to an IP address. One advantage with this approach is that when the IP address of the host changes, only the DNS A record for the root domain needs to be updated.

Savvy Seahorse leverages this technique to its advantage by registering several short-lived subdomains that share a CNAME record (and thus an IP address). These specific subdomains are created using a domain generation algorithm (DGA) and are associated with the primary campaign domain.

The ever-changing nature of the domains and IP addresses also makes the infrastructure resistant to takedown efforts, allowing the threat actors to continuously create new domains or alter their CNAME records to a different IP address as their phishing sites are disrupted.

While threat actors like VexTrio have used DNS as a TDS, the discovery marks the first time CNAME records have been used for such purposes.

Victims who end up clicking the links embedded on Facebook ads are urged to provide their names, email addresses, and phone numbers, after which they are redirected to the bogus trading platform for adding funds to their wallets.

"An important detail to note is the actor validates the user's information to exclude traffic from a predefined list of countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, although their reasoning for choosing these specific countries is unclear," Infoblox noted.

The development comes as Guardio Labs revealed that thousands of domains belonging to legitimate brands and institutions have been hijacked using a technique called CNAME takeover to propagate spam campaigns.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.