Savvy Seahorse is a financially motivated threat actor that employs advanced DNS abuse techniques to facilitate fake investment platform scams. The actor uses DNS CNAME records to implement a traffic distribution system, which allows them to dynamically update IP addresses associated with their malicious domains. This approach enables rapid infrastructure changes that evade traditional detection and blocking mechanisms. The campaign is propagated primarily through Facebook advertisements targeting users in multiple languages, increasing the scope and reach of the scam. Victims are engaged via fake ChatGPT and WhatsApp bots, which simulate legitimate interactions to build trust and convince users to create accounts and deposit funds. These funds are then funneled to Russian banks, indicating a financial fraud operation with a probable nexus to Russia. The infrastructure supporting these campaigns is extensive, with around 4,200 base domains using CNAME records linked to subdomains of b36cname[.]site. Each subdomain is used for a short duration of 5-10 days, complicating efforts to track and block the entire malicious infrastructure. The actor has been active since August 2021, using dedicated hosting services to maintain operational security and avoid attribution. The campaign leverages DNS abuse, domain generation algorithms, and social engineering tactics, combined with geofencing to target specific regions or language groups. This multi-faceted approach makes detection and mitigation challenging for defenders.

Organizations and individuals worldwide face financial losses due to fraudulent investment schemes facilitated by this campaign. Financial institutions, especially those in Russia receiving illicit funds, are indirectly impacted by money laundering risks. Social media platforms like Facebook are exploited to distribute malicious ads, undermining user trust and platform integrity. The use of DNS abuse and dynamic infrastructure complicates detection and takedown efforts, increasing the persistence and reach of the scam. Victims suffer direct monetary loss and potential exposure of personal information when creating accounts on fake platforms. The campaign's multi-language targeting broadens its impact across diverse regions, increasing the global scale of financial fraud. Additionally, the frequent IP changes and short-lived domains strain cybersecurity teams' ability to maintain effective blocklists and threat intelligence. This threat also highlights vulnerabilities in DNS infrastructure and social media ad vetting processes, which can be exploited for large-scale scams.

Organizations should implement advanced DNS monitoring solutions that can detect unusual CNAME record patterns and rapid IP address changes indicative of traffic distribution systems. Security teams should collaborate with social media platforms to identify and remove fraudulent advertisements promptly. Deploying threat intelligence feeds that track domain generation algorithms and known malicious domains like those linked to b36cname[.]site can improve proactive blocking. User education campaigns should focus on recognizing fake investment platforms and the risks of interacting with unsolicited ads or bots. Financial institutions should enhance transaction monitoring to detect suspicious deposits linked to fraudulent schemes. Implementing multi-factor authentication and transaction verification can reduce the risk of unauthorized fund transfers. Security operations centers (SOCs) should automate detection rules for short-lived domains and integrate DNS abuse indicators into their incident response workflows. Finally, cooperation with law enforcement and international partners is essential to disrupt the financial infrastructure supporting these scams.