Threat actor uses Facebook to lure victims, sends cash to Russia

A newly discovered threat actor called Savvy Seahorse creates fake investment platforms, lures in victims with the help of Facebook, and transfers the ill-gotten deposits to a Russian state-owned bank.

According to Infoblox’s threat intelligence group, which has published a new report on Savvy Seahorse, this Domain Name System (DNS) threat actor creates fake investment platforms where victims can deposit funds and are lured in by spoofing well-known icons such as Tesla, Meta, and Imperial Oil, among others.

What’s more, the group uses Facebook ads to convince users to enroll in the fake platforms, and then transfers those deposits to a Russian state-owned bank.

According to Infoblox researchers, Savvy Seahorse’s campaigns are sophisticated and involve advanced techniques such as incorporating fake ChatGPT and WhatsApp bots that provide automated responses to users, urging them to enter personal information in exchange for alleged high-return investment opportunities.

The attackers have been targeting Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers. Mysteriously, the campaigns appear to specifically protect potential victims in Ukraine and a few other countries.

Savvy Seahorse abuses the DNS in an obscure way, Infoblox says. They leverage DNS canonical name (CNAME) records to create a traffic distribution system for sophisticated financial scam campaigns.

As a result, Savvy Seahorse can control who has access to content and can dynamically update the IP addresses of malicious campaigns.

“This technique of using CNAMEs has enabled the threat actor to evade detection by the security industry,” says Infloblox, adding that Savvy Seahorse has been operating since at least August 2021.

The threat actor’s campaigns feature a variety of advanced lure techniques but they all follow a similar pattern, with the end goal of stealing the victim’s personal and financial information for monetary gain.

Once the user enters their personal details in fake registration forms that are embedded in, again, fake web pages, they are redirected to a fake trading platform. This will automatically set up an account for them.

A fake trading platform set up by Savvy Seahors. Courtesy of Infloblox

The user is then encouraged to add money to their “wallet” from a number of different sources including Visa/Mastercard, a crypto wallet, or Russian payment providers such as Qiwi and YooMoney.

Infoblox researchers say that the threat actor appears to be routing money to Sberbank, a major Russian state-owned bank.

Because Savvy Seahorse markets and distributes these campaigns via Facebook/Meta ads, all domains used in active campaigns make multiple connections to Facebook’s website. The actor even uses Meta Pixel, a legitimate tool, to track and optimize the performance of the ads.

Specific themes for Savvy Seahorse’s campaigns can vary widely, including lures spoofing legitimate companies such as Apple for investment opportunities and incorporating bots that impersonate WhatsApp, ChatGPT, and Tesla.

One of the most common themes that Savvy Seahorse has used throughout its operations involves “earning projects” or investment programs that claim the user has an opportunity to earn a specific amount of money if they register with their personal information.

Threat actors often employ a popular phishing campaign technique where they attempt to impersonate easily recognizable brands and companies to build trust with the user.

For instance, one Russian-language campaign spoofed Tesla and X by encouraging users to “join Elon Musk’s project” to receive €12,000 ($13,000) per month. Another encouraged Polish users to take part in the “Libra automatic earning project,” supposedly created by Mark Zuckerberg, the CEO of Meta.

It’s quite elaborate – but fake all the same. The US Federal Trade Commission reported recently that more money was lost to investment scams in the US during 2023 than any other type of scam, totaling over USD $4.6 billion dollars stolen from victims.

More from Cybernews:

UnitedHealth gives update on cyberattack and pharmacy backlog

Matthew Perry’s X account hacked by scammers

OpenAI hits back at NYT: you hacked our chatbot

Odysseus moon lander has less than 20 hrs of battery life left

DDoS attack led to a $104K bill from hosting provider: “I thought it was a joke”

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked