Savvy Seahorse Lures A/NZ Victims To Fake Investment Platforms Through Facebook Ads
Infoblox has today released a report unmasking for the first time Savvy Seahorse, a leading perpetrator of online cybercriminal investment scam websites. The threat actor has operated in the shadows since at least 2021 and its target victims include people in Australia and New Zealand (A/NZ).
Savvy Seahorse uses Facebook ads to lure in victims and convince them to open accounts, make deposits, and invest in companies including Tesla and Meta. Once deposited, the cybercriminal gang then transfers the funds to a bank in Russia. Its tactics, techniques, and procedures (TTPs) also include ChatGPT and WhatsApp bots imitating online webchats to encourage victims inquiring about the investment platforms.
In New Zealand, the Government has warned about ‘out-of-the-blue’ investment scams, which were a major contributor to the nearly NZ$200 million New Zealanders lost to scams in 2022. Meanwhile in Australia, the Australian Competition & Consumer Commission (ACCC) has reported investment scams were responsible for almost half of the A$3.1 billion Australians lost to scams in the same year.
As well as Australians and New Zealanders, Savvy Seahorse targets Russian, Polish, Italian, German, Czech, Turkish, French, and Spanish speakers, but deliberately, and for reasons unclear, excludes traffic from Ukraine and a handful of other countries.
In the report, Infoblox details how the threat actor uses a specific type of domain name system (DNS) attack to map website domains and route internet users via traffic distribution systems (TDS) to scam websites that often mimic legitimate sites. This is the first time the cloud and networking security company has seen this approach, which has been a key factor in Savvy Seahorse’s ability to remain hidden for so long.
“New Zealand and Australia have high disposable income per capita and there are many mum and dad investors looking to play the market,” said Renée Burton, Infoblox’s head of threat intelligence and a former senior executive with the U.S. National Security Agency (NSA).
“Threat actors like Savvy Seahorse see opportunity in this, and the advent of social media advertising gives these cybercriminals a cheap and easy way to flaunt their scam websites to millions of people. The old adage of ‘if it seems too good to be true...’ is important to remember. Knowing that criminals are out to steal from everyone, we all need to be extra vigilant when investing money or giving financial credentials through websites.”
Other findings and technical aspects from the report include:
- Savvy Seahorse uses dedicated hosting and changes its IP addresses regularly.
- Individual campaigns are short-lived (each subdomain is advertised for five-to-10 days).
- The threat actor appears to use a phased deployment system in which the Canonical Name (CNAME) – a type of DNS record – for a campaign domain will change based on whether it is currently active or not.
- It uses ‘wildcard DNS’ entries, which match requests for non-existent domain names. This allows Savvy Seahorse to create a large number of independent campaigns quickly but can add confusion to passive DNS (pDNS) analysis.
- Victims’ personal data is sent to a secondary HTTP-based TDS server to validate the information and apply geofencing to exclude Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova.
- The second HTTP-based TDS also tracks user IP and email addresses over time.
“Criminals use social engineering to fool people; it is their job, and they are very good at it,” added Burton. “While we might be surprised that people have their life savings stolen from them, we shouldn’t shame victims for being fooled. These criminals work very hard to create convincing platforms and stories. They prey on the hope we all have to catch a lucky break in life.”