Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Investment Scam. Show all posts

Savvy Seahorse: The DNS-based Traffic Distribution System Undermining Cybersecurity

 

In the vast landscape of cyber threats, a new player named Savvy Seahorse has emerged, showcasing a distinctive modus operandi that sets it apart from its counterparts. While the investment scam it orchestrates is unfortunately commonplace, it's the intricate infrastructure supporting it that demands attention. 

Savvy Seahorse employs a sophisticated Traffic Distribution System (TDS), capitalizing on the Domain Name System (DNS) to perpetually alter its malicious domains, making takedowns a formidable challenge. This TDS, as detailed in a recent report by Infoblox, leverages Canonical Name (CNAME) records to maintain a fluid network of thousands of diverse domains. 

Traditionally associated with HTTP-based TDS networks, the use of DNS in this context is a novel approach that poses unique challenges for cybersecurity professionals. Renée Burton, Head of Threat Intelligence at Infoblox, emphasizes that DNS-based TDSs are often overlooked, with a prevailing focus on HTTP-based systems. 

However, Savvy Seahorse has been operational since at least August 2021, operating in the shadows and evading conventional detection methods. The key to Savvy Seahorse's success lies in its exploitation of CNAME records. In the DNS realm, CNAME allows multiple domains to map to a single base (canonical) domain. This seemingly innocuous feature is manipulated by Savvy Seahorse to rapidly scale and relocate its operations. 

When one phishing site is shut down, the threat actor effortlessly shifts to a new one, relying on CNAME as a map to mirror sites. CNAME not only applies to domains but extends to IP addresses. In the event of a hosting infrastructure shutdown, Savvy Seahorse can swiftly redirect its CNAME to a different address, ensuring resilience and evading detection. 

The attacker's ability to advertise any subdomain for a brief period further complicates tracking and takedown efforts. Crucially, CNAME serves as both Savvy Seahorse's strength and vulnerability. While the threat actor has cunningly utilized 30 domain registrars and 21 ISPs to host 4,200 domains, they all trace back to a single base domain: b36cname[.]site. This centralized link becomes Savvy Seahorse's Achilles' heel, presenting a unique opportunity for defenders. 

From a threat intelligence perspective, countering Savvy Seahorse involves a relatively straightforward approach – blocking the one base domain to which the CNAME points. Renée Burton notes that despite the existence of thousands of malicious domains, there's only one malicious CNAME. This single point of failure provides defenders with a potent strategy, allowing them to neutralize the entire threat with one decisive action. 
 
While attackers theoretically have the option to build malicious networks using multiple CNAMEs, Burton highlights a trend among cybercriminals to aggregate towards a smaller set of CNAMEs. This strategic choice, possibly driven by a desire to avoid detection, simplifies the task for defenders, who can focus efforts on a limited number of CNAMEs associated with the threat. 

Savvy Seahorse's exploitation of DNS-based TDS with CNAME records presents a new frontier in cyber threats. The intricate dance between attackers and defenders highlights the importance of understanding and adapting to evolving tactics. As defenders fortify their strategies, the hope is to stay one step ahead of sophisticated threat actors like Savvy Seahorse, ensuring a safer digital landscape for individuals and organizations alike.

Australian Consumer Watchdog Reports Massive Surge of Crypto Use in Investment Scams

 

Australians’ losses from investment frauds surged 90% to AU$103 million from the start of the year to March 20, with the Australian Competition and Consumer Commission (ACCC) confirming payments to fraudsters are most often carried out in cryptocurrency. 

Consumer and Fair Trade Executive Managing Director Rami Greiss said that while the increase in the use of crypto follows its growing popularity, it has facets that lend themselves to being exploited by fraudsters. “It’s also the fact that it’s an unregulated product, so there are no controls. There are no institutions that can be roped in to assist. So really, it’s the fact that it’s the wild west,” Greiss explained.

"In relation to scamwatch, we see a number of scams relating to investment schemes, and we are now seeing that the payments in relation to those are now more often by way of cryptocurrency than by way of bank transfer," Gina Cass-Gottlieb, the new president of the ACCC stated. 

According to ACCC, it has received 66 reports of money recovery frauds this year on its website Scamwatch which is a 725 percent increase compared to the same period in 2021. The commission also disclosed that fraudsters target previous scam victims by contacting them and then posing as someone representing a trusted firm such as a law firm, fraud task force, or government agency. 

Subsequently, the fraudsters ask victims to fill out fake paperwork or provide identity documents and seek upfront payments. They may request remote access to computers or smartphones, enabling them to scam their unsuspecting victims. Earlier this year, the Australian government announced it would design a crypto badge of approval to licence intermediaries such as exchanges.

Last week, Australia’s Financial Services Minister Jane Hume stated that the license will include a "fit and proper person" test, and could include anti-hawking measures to prevent cold calling. Hume also explicitly ruled out a ban. 

“Crypto values will go up and down sure as eggs, and the government will not be protecting consumers from market volatility—and nor should they,” she said. But Australian investors will be sure that if they use a licensed Australian exchange, they can trust the exchange will deliver on its commitments to customers and have appropriate protections.”