'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick

A newly discovered threat actor is running an investment scam through a cleverly designed traffic distribution system (TDS), which takes advantage of the Domain Name System (DNS) to keep its malicious domains ever-changing and resistant to takedowns.

"Savvy Seahorse" impersonates major brand names like Meta and Tesla — and, through Facebook ads in nine languages, lures victims into creating accounts on a fake investing platform. Once victims fund their accounts, the money is funneled to a presumably attacker-controlled account at a Russian state-owned bank.

It's a common sort of scam. According to the Federal Trade Commission (FTC), US consumers reported losing 4.6 billion dollars to investment scams in 2023 alone. That's nearly half of the $10 billion reported to have been lost to all forms of scams, making it the most profitable kind out there.

So what separates Savvy Seahorse from the pack is not the character of its ruse but, rather, the infrastructure supporting it.

As outlined in a new report from Infoblox, it operates a TDS with thousands of varied and fluid domains. What keeps the whole system together is a Canonical Name (CNAME) record, an otherwise bland property of DNS which it uses to ensure that, like the ship of Theseus, its TDS can continuously create new and shed old domains without really changing anything at all about the campaign itself.

TDS Attacks Supercharged via DNS

"We normally think of TDS as being in the HTTP world — a connection comes in, I fingerprint your device, and, based on your fingerprinting, I might send you to some malware or scam or I might deny service," explains Renée Burton, head of threat intelligence at Infoblox.

Indeed, entire cybercrime ecosystems have developed around HTTP-based TDS networks in recent years, such as the one operated by VexTrio. HTTP is preferred for all of the metadata it allows attackers to capture from victims: their browser, whether they're on mobile or desktop, and so on.

"Mostly we ignore TDSs," she continues, "and if we do pay attention, we think of it in this narrow framework. But what we have found over the last two and a half years is that, in reality, there's actually a whole concept of traffic distribution systems that actually just exist in DNS."

Indeed, Savvy Seahorse is not new — it's been operating since at least August 2021 — nor is it entirely unique — other groups perform similar DNS-based traffic distribution, but none have thus far been described in security literature. So how does this strategy work?

How Savvy Seahorse Abuses CNAME

In this case, it all comes down to CNAME records.

In DNS, CNAME allows for multiple domains to map to the same base (canonical) domain. For example, the base domain "darkreading.com" might have CNAME records for www.darkreading.com, darkreading.xyz, and many more subdomains. This basic function can help organize an otherwise large, unwieldy, and shifting group of domains owned by legitimate organizations and, evidently, cyberattackers alike.

As Burton explains, "What that CNAME record does for Savvy Seahorse, specifically, is it allows them to scale and move their operations really fast. So every single time someone shuts down one of their phishing sites — which happens pretty frequently, to a lot of them — all they have to do is move to a new one. They have mirrors [of the same content], essentially, all over, and they use the CNAME as the map to those mirrors."

The same works for IPs — should anybody try to shut down Savvy Seahorse's hosting infrastructure, they can just point their CNAME to a different address on a moment's notice. This enables it to not only be resilient, but evasive, advertising any one of its subdomains for only five to ten days on average (probably because it's so easy for them to swap them in and out).

CNAME also frees the threat actor to develop a more robust TDS from the outset.

How CNAME Changes the Game for Attackers & Defenders

Attackers tend to register all of their domains in bulk through a single registrar, and use a single Internet service provider (ISP) to manage them all, simply to avoid having to juggle too much at once. The downside (for them) is that this makes it easy for cyber defenders to discover all of their domains, via their common registration metadata.

Now consider Savvy Seahorse, which has utilized no less than 30 domain registrars and 21 ISPs to host 4,200 domains. No matter how many registrars, ISPs, or domains they use, in the end, they're all associated via CNAME with a single base domain: b36cname[.]site.

But there's a catch here, too. An Achilles' heel. CNAME is both Savvy Seahorse's lodestar, and its single point of failure.

"There are, like, 4,000 bad domain names, but there's only one bad CNAME," Burton points out. To defend against a group like Savvy Seahorse, then, can involve one incredibly effortful path, or one entirely easy one. "All you have to do is block the one base domain [which the CNAME points to] and, from a threat intelligence perspective, you get to kill everything with one blow."

There's no rule that says attackers can't build out malicious networks using many CNAMEs, Burton explains, but "mostly they do aggregate. Even in the very largest systems, we see them aggregate to a much smaller set of CNAMEs."

"Why?" she asks, "Maybe because they aren't getting caught."