Petty scammers have figured out how to leverage a core function of DNS in order to maintain scalable, stealthy, pliable malicious infrastructure.
February 28, 2024
A newly discovered threat actor is running an investment scam through a cleverly designed traffic distribution system (TDS), which takes advantage of the Domain Name System (DNS) to keep its malicious domains ever-changing and resistant to takedowns.
"Savvy Seahorse" impersonates major brand names like Meta and Tesla — and, through Facebook ads in nine languages, lures victims into creating accounts on a fake investing platform. Once victims fund their accounts, the money is funneled to a presumably attacker-controlled account at a Russian state-owned bank.
It's a common sort of scam. According to the Federal Trade Commission (FTC), US consumers reported losing 4.6 billion dollars to investment scams in 2023 alone. That's nearly half of the $10 billion reported to have been lost to all forms of scams, making it the most profitable kind out there.
So what separates Savvy Seahorse from the pack is not the character of its ruse but, rather, the infrastructure supporting it.
As outlined in a new report from Infoblox, it operates a TDS with thousands of varied and fluid domains. What keeps the whole system together is a Canonical Name (CNAME) record, an otherwise bland property of DNS which it uses to ensure that, like the ship of Theseus, its TDS can continuously create new and shed old domains without really changing anything at all about the campaign itself.
"We normally think of TDS as being in the HTTP world — a connection comes in, I fingerprint your device, and, based on your fingerprinting, I might send you to some malware or scam or I might deny service," explains Renée Burton, head of threat intelligence at Infoblox.
Indeed, entire cybercrime ecosystems have developed around HTTP-based TDS networks in recent years, such as the one operated by VexTrio. HTTP is preferred for all of the metadata it allows attackers to capture from victims: their browser, whether they're on mobile or desktop, and so on.
"Mostly we ignore TDSs," she continues, "and if we do pay attention, we think of it in this narrow framework. But what we have found over the last two and a half years is that, in reality, there's actually a whole concept of traffic distribution systems that actually just exist in DNS."
Indeed, Savvy Seahorse is not new — it's been operating since at least August 2021 — nor is it entirely unique — other groups perform similar DNS-based traffic distribution, but none have thus far been described in security literature. So how does this strategy work?
In this case, it all comes down to CNAME records.
In DNS, CNAME allows for multiple domains to map to the same base (canonical) domain. For example, the base domain "darkreading.com" might have CNAME records for www.darkreading.com, darkreading.xyz, and many more subdomains. This basic function can help organize an otherwise large, unwieldy, and shifting group of domains owned by legitimate organizations and, evidently, cyberattackers alike.
As Burton explains, "What that CNAME record does for Savvy Seahorse, specifically, is it allows them to scale and move their operations really fast. So every single time someone shuts down one of their phishing sites — which happens pretty frequently, to a lot of them — all they have to do is move to a new one. They have mirrors [of the same content], essentially, all over, and they use the CNAME as the map to those mirrors."
The same works for IPs — should anybody try to shut down Savvy Seahorse's hosting infrastructure, they can just point their CNAME to a different address on a moment's notice. This enables it to not only be resilient, but evasive, advertising any one of its subdomains for only five to ten days on average (probably because it's so easy for them to swap them in and out).
CNAME also frees the threat actor to develop a more robust TDS from the outset.
Attackers tend to register all of their domains in bulk through a single registrar, and use a single Internet service provider (ISP) to manage them all, simply to avoid having to juggle too much at once. The downside (for them) is that this makes it easy for cyber defenders to discover all of their domains, via their common registration metadata.
Now consider Savvy Seahorse, which has utilized no less than 30 domain registrars and 21 ISPs to host 4,200 domains. No matter how many registrars, ISPs, or domains they use, in the end, they're all associated via CNAME with a single base domain: b36cname[.]site.
But there's a catch here, too. An Achilles' heel. CNAME is both Savvy Seahorse's lodestar, and its single point of failure.
"There are, like, 4,000 bad domain names, but there's only one bad CNAME," Burton points out. To defend against a group like Savvy Seahorse, then, can involve one incredibly effortful path, or one entirely easy one. "All you have to do is block the one base domain [which the CNAME points to] and, from a threat intelligence perspective, you get to kill everything with one blow."
There's no rule that says attackers can't build out malicious networks using many CNAMEs, Burton explains, but "mostly they do aggregate. Even in the very largest systems, we see them aggregate to a much smaller set of CNAMEs."
"Why?" she asks, "Maybe because they aren't getting caught."
Nate Nelson, Contributing Writer
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
Securing the Software Development Life Cycle from Start to Finish
Securing the Software Development Life Cycle from Start to Finish
How Supply Chain Attacks Work — And How to Stop Them
How Supply Chain Attacks Work — And How to Stop Them
Assessing Your Critical Applications’ Cyber Defenses
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
2021 Data Breach Investigations Report (DBIR)
Why You’re Wrong About Operationalizing AI
A Solution Guide to Operational Technology Cybersecurity
2023 Gartner Magic Quadrant for Single-Vendor SASE
The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023
Migrations Playbook for Saving Money with Snyk + AWS
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation