Scammers have been spotted using a unique DNS scam to target victims in Australia and around the world. The threat actor, known as Savvy Seahorse, has been tricking victims into believing they are investing in a legitimate company before transferring funds to a Russian account.
Researchers at IT security firm Infoblox have uncovered an investment scam operation that is exploiting functionality within the domain name system (DNS) to deceive its victims. The operation, whimsically dubbed Savvy Seahorse, utilizes DNS canonical name records (CNAME) to establish its own traffic distribution system. This enables the scammers to update the IP address of their campaign infrastructure on the fly, making it easier for the campaign to evade detection. The scammers also use this technique to rapidly scale up campaigns, running multiple scams for 10 to 15 days and switching them on and off as needed.
The scams themselves promise easy investment and fast returns, often using familiar branding and designs from companies such as Meta and Tesla. However, once a victim invests funds, the money is swiftly transferred to a Russian bank. The scammers are targeting victims not only in Australia and New Zealand but also globally, operating in various languages including Russian, Polish, and Italian. Interestingly, the scam’s traffic distribution system can geofence its victims, excluding individuals from certain countries.
Renee Burton, Infoblox’s head of threat intelligence and a former senior executive with the US National Security Agency (NSA), believes that Australians are a prime target for such operations. Burton highlighted the high disposable income per capita in Australia and New Zealand, making them attractive targets for cyber criminals. She emphasized the need for vigilance when investing money or providing financial credentials through websites, especially with the prevalence of social media advertising used by these criminals.
Stay informed with the latest developments in the cyber industry by subscribing to the Cyber Daily newsletter.