Savvy Seahorse Uses Facebook Ads to Run Investment Scams

A DNS threat actor, named Savvy Seahorse, has been observed using sophisticated and advanced techniques to lure victims into fake investment platforms.

According to Infoblox researchers, the gang utilizes Facebook/Meta ads and promises high-return investment opportunities.

They trick victims into depositing funds, entering their personal and financial information into seemingly legitimate investment platforms by impersonating reputable brands like Meta and Tesla. Victims were instructed to utilize Visa/Mastercard, a crypto wallet, or Russian payment providers such as Qiwi and YooMoney to make investment payments.

In addition, using fake ChatGPT and WhatsApp bots, hackers are able to generate automated responses to directly interact with and convince potential victims.

The campaign is mainly directed at Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers. However, there were also victims from Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova.

The threat actors decided whether or not redirection will occur by following a series of validation checks on the user shared information, like IP address, geolocation, phone number, and email provided.

Moreover, by taking advantage of Domain Name System (DNS) in an obscure way, the hackers leverage DNS canonical name (CNAME) to create a traffic distribution system (TDS) for their financial campaign.

‘’As a result, Savvy Seahorse can control who has access to content and can dynamically update the IP addresses of malicious campaigns,’’ Infoblox researchers said.

‘’This technique of using CNAMEs has enabled the threat actor to evade detection by the security industry; to our knowledge, this is the first report to focus on the use of CNAMEs as a TDS engineered for malicious purposes.’’

Savvy Seahorse has been operational since at least August 2021, with short-lived individual campaigns lasting between 5 to 10 days. ‘’Although participating domains are sometimes flagged by security tools, the greater infrastructure and actor behind them have gone undetected by the security industry,’’ Infoblox revealed.