Cyber Security News

Savvy Seahorse Hackers Leverage DNS CNAME Records to Exploit Victims

Cybersecurity researchers unveiled a sophisticated scam operation, “Savvy Seahorse,” exploiting victims through advanced DNS manipulation techniques.

This operation, active since at least August 2021, has flown under the radar by leveraging DNS canonical name (CNAME) records to create a dynamic and elusive traffic distribution system (TDS) for financial scam campaigns.

A Novel Approach to Cybercrime

Savvy Seahorse’s campaigns are not your typical phishing attempts. They incorporate fake ChatGPT and WhatsApp bots that provide automated responses, luring victims into providing personal information under the guise of high-return investment opportunities.

These campaigns target a wide range of language speakers, including Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English, while excluding potential victims in Ukraine and a few other countries.

The crux of Savvy Seahorse’s strategy lies in abusing the Domain Name System (DNS).

By leveraging CNAME records, the threat actor has developed a sophisticated TDS that allows for dynamic content delivery and IP address updates, making their malicious campaigns challenging to detect and shut down, infoblox researchers said.

This technique has enabled Savvy Seahorse to evade detection by the security industry, marking the first reported use of CNAMEs for such malicious purposes.

Sophisticated Scam Operations

Savvy Seahorse’s operations are meticulously planned and executed. The campaigns are primarily delivered through Facebook advertisements, enticing victims to fake investment platforms.

Savvy Seahorse’s operations Credit: infoblox

Once there, victims are tricked into funding their accounts with the promise of substantial returns.

The use of dedicated hosting and regular IP address changes, coupled with short-lived individual campaigns, makes tracking and combating these operations a formidable challenge.

The operation’s infrastructure is vast, with approximately 4.2k base domains linked through a single CNAME record to a subdomain of b36cname[.]site.

This setup allows Savvy Seahorse to quickly create independent campaigns, complicating passive DNS (pDNS) analysis and evading detection efforts, reads infoblox report.

The Role of CNAME in Cybersecurity

Using CNAME records for malicious purposes highlights a significant oversight in the cybersecurity industry’s understanding of DNS’s role in cybercrime.

CNAME records, which map one domain name to another, are a fundamental part of DNS that can be exploited to manage a large, shifting group of malicious domains efficiently.

This technique allows Savvy Seahorse to scale and move operations rapidly, presenting a moving target for cybersecurity defenses.

Implications and Defense Strategies

The discovery of Savvy Seahorse’s operations underscores the need for the cybersecurity community to reassess the role of DNS in cybercrime.

By understanding the tactics, techniques, and procedures employed by threat actors like Savvy Seahorse, cybersecurity professionals can develop more effective strategies to detect and disrupt such operations.

Blocking the base domain to which the CNAME records point could be a straightforward yet practical approach to mitigating the threat posed by this and similar operations.

In conclusion, the Savvy Seahorse campaign represents a significant evolution in cybercriminal tactics, leveraging DNS in ways previously unrecognized by the security industry.

As cybersecurity professionals work to counter these sophisticated threats, the importance of continuous research and adaptation in cybersecurity strategies has never been more evident.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

3 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

5 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

5 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

5 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

5 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

6 hours ago