'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick

A newly discovered threat actor, known as Savvy Seahorse, is orchestrating an investment scam by leveraging a sophisticated traffic distribution system (TDS) that exploits the Domain Name System (DNS). Savvy Seahorse impersonates reputable brands like Meta and Tesla through Facebook ads in multiple languages, enticing victims to create accounts on a fake investing platform. Once victims deposit funds, the money is routed to an account at a Russian state-owned bank. What sets Savvy Seahorse apart is its intricate infrastructure. It operates a TDS with thousands of constantly changing domains, all tied together by a Canonical Name (CNAME) record in DNS. This allows the TDS to seamlessly create and discard domains, making detection and takedowns challenging.

Security Officer Comments:
Unlike traditional TDS systems based on HTTP, which focus on capturing metadata, Savvy Seahorse's DNS-based approach flies under the radar. By exploiting CNAME records, Savvy Seahorse can rapidly scale and relocate its operations, evading shutdowns and detection efforts.

Despite its complexity, Savvy Seahorse's reliance on a single CNAME poses a vulnerability. Blocking the base domain associated with the CNAME can effectively neutralize the entire operation. While attackers could diversify their malicious networks with multiple CNAMEs, many opt for aggregation to avoid detection.

Suggested Corrections:
Infoblox has published indicators of activity which can be used to detect the Savy Seahorse campaign: