Infoblox reveals the details of Savvy Seahorse in a new threat intel report. Savvy Seahorse is a DNS threat actor that has been deceiving victims into depositing funds into fraudulent investment platforms, falsely attributed to renowned entities such as Tesla, Meta, or Imperial Oil. To achieve this they used a variety of advanced lure techniques, such as fake chatbots, Meta Pixel tracking, and multiple payment processing domains.
The threat intel report, titled “Beware the Shallow Waters: Savvy Seahorse Lures Victims to Fake Investment Platforms Through Facebook Ads”, demonstrates how Savvy Seahorse uses a previously unreported technique of abusing the Domain Name System to distribute traffic for their scam campaigns and avoid detection. It provides a comprehensive analysis of Savvy Seahorse’s operations (that date back as early as August 2021), infrastructure, and techniques, as well as indicators of activity to help security professionals and organisations detect and block this threat actor.
Imagine you’re scrolling through Facebook and you see an ad for a new investment platform promising high returns. This is like seeing a sign for a new bank in town offering a great interest rate. You click on the ad and it takes you to a website that looks professional and trustworthy, just like walking into a sleek, modern bank branch.
This is where Savvy Seahorse comes in. They’re the ones who put up that ad and created that website. But unlike a legitimate bank, they’re not interested in helping you grow your money. They’re interested in stealing it.
Here’s how they do it:
- Fake Investment Platforms: Just like a fake bank might try to get you to deposit your money with them, Savvy Seahorse lures users into fake investment platforms. These platforms might look real, but they’re just a front for their scam.
- Personal Information: Once you’re on their platform, they’ll ask for your personal and financial information. It’s like a fake bank asking for your Social Security number and bank account details.
- Changing Tactics: Savvy Seahorse is sneaky. They change their IP addresses (like changing their physical location) and create multiple subdomains (like opening up multiple fake bank branches) to avoid getting caught.
Discussion about this post