Leading perpetrator of online investment scams, which cost Australians and New Zealanders billions of dollars, unmasked in new report.
Infoblox has released a report unmasking Savvy Seahorse as a leading perpetrator of online cybercriminal investment scam websites.
The threat actor has operated in the shadows since at least 2021 and its target victims include people in Australia and New Zealand (A/NZ).
Savvy Seahorse uses Facebook ads to lure in victims and convince them to open accounts, make deposits and invest in companies including Tesla and Meta.
Once deposited, the cybercriminal gang then transfers the funds to a bank in Russia.
Its tactics, techniques, and procedures (TTPs) also include ChatGPT and WhatsApp bots imitating online webchats to encourage victims inquiring about the investment platforms.
In Australia, the Australian Competition & Consumer Commission (ACCC) has reported investment scams were responsible for almost half of the A$3.1 billion Australians lost to scams in 2022.
Meanwhile in New Zealand, the Government has warned about ‘out-of-the-blue’ investment scams, which were a major contributor to the near NZ$200 million New Zealanders lost to scams in the same year.
In the report, Infoblox details how the threat actor uses a specific type of domain name system (DNS) attack to map website domains and route Internet users via traffic distribution systems (TDS) to scam websites that often mimic legitimate sites.
This is the first time the cloud and networking security company has seen this approach – a key factor in Savvy Seahorse’s ability to remain hidden for so long.
“Australia and New Zealand have high disposable income per capita and there are many mum and dad investors looking to play the market,” said Renée Burton, Head of Threat Intelligence, Infoblox, and a former NSA senior executive.
Other findings from the report include:
- Savvy Seahorse uses dedicated hosting and changes its IP addresses regularly.
- Individual campaigns are short-lived (each subdomain is advertised for five-to-10 days).
- The threat actor appears to use a phased deployment system in which the Canonical Name (CNAME) – a type of DNS record – for a campaign domain will change based on whether it is currently active or not.
- It uses ‘wildcard DNS’ entries, which match requests for non-existent domain names.
- Victims’ personal data is sent to a secondary HTTP-based TDS server to validate the information and apply geofencing to exclude Ukraine, India, Fiji, Tonga, Zambia, Afghanistan and Moldova.
- The second HTTP-based TDS also tracks user IP and email addresses over time.
“Criminals use social engineering to fool people; it is their job, and they are very good at it,” said Burton. “While we might be surprised that people have their life savings stolen from them, we shouldn’t shame victims for being fooled. These criminals work very hard to create convincing platforms and stories. They prey on the hope we all have to catch a lucky break in life.”
Click below to share this article