Security News > 2024 > February > Savvy Seahorse gang uses DNS CNAME records to power investor scams
A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns.
Using DNS CNAME records as a TDS. Savvy Seahorse creatively uses Canonical Name records as a Traffic Distribution System for its operations, allowing threat actors to easily manage changes, such as performing IP rotation that enhances detection evasion.
A CNAME record is a DNS record that maps a domain or subdomain to another domain name instead of directly to an IP address.
Savvy Seahorse registers multiple subdomains for its attack waves that share a common CNAME record linking it to primary/base campaign domain, for example, "b36cname[.]site."
Using domain generation algorithms, Savvy Seahorse creates and manages thousands of domains utilized in the CNAME TDS system.
Savvy Seahorse promotes investment scams with lures written in English, Russian, Polish, Italian, German, French, Spanish, Czech, and Turkish, indicating the threat actor's global targeting scope.