Skip to content

A new cybercriminal group called “SAVVY SEAHORSE” has emerged, employing a clever technique to create numerous fake and fraudulent investment websites. By abusing DNS services and CNAME records, these hackers can rapidly spin up deceptive domains that appear legitimate at first glance. 

The Deceptive DNS Trick 

Savvy Seahorse’s modus operandi revolves around the misuse of CNAME (Canonical Name) DNS records. A CNAME record is typically used to alias one domain name to another, allowing multiple domains to point to the same web content. However, this group is leveraging CNAME records to rapidly create a vast number of fake domains that initially resolve to legitimate financial services websites. 

Here’s how the scheme works: The hackers first compromise a legitimate website, perhaps through a vulnerability or stolen credentials. They then create CNAME records that map their fake domains to the legitimate site. This way, when a victim visits one of the fraudulent domains, it initially loads the authentic website content, lending an air of legitimacy. 

(Image – 

The Bait and Switch 

However, after this initial redirection, the fake domains swap out the genuine content with their own malicious pages, often mimicking popular investment platforms or cryptocurrency exchanges. Unsuspecting visitors are then lured into providing sensitive information or funds, falling victim to phishing, credential theft, or outright financial fraud. 

The power of this technique lies in its ability to rapidly create countless deceptive domains that initially appear trustworthy. Savvy Seahorse can exploit CNAME records across multiple DNS providers, making the campaign challenging to detect and block comprehensively. 

Staying Vigilant 

While the tactics employed by Savvy Seahorse are novel, the underlying goal is a familiar one: financial gain through deception and theft. Internet users must remain cautious when visiting investment-related websites, especially those reached through unsolicited links or advertisements. 

Cybersecurity experts recommend closely scrutinizing the URL and website content for any inconsistencies or red flags. Keeping software up-to-date, using reputable security solutions, and exercising caution with sensitive information can help mitigate the risks posed by groups like Savvy Seahorse. 

As this campaign demonstrates, cybercriminals are constantly evolving their methods, exploiting legitimate technologies in innovative ways to further their malicious objectives. Maintaining vigilance and following cybersecurity best practices is crucial for protecting oneself from these ever-evolving threats. 

Infoblox have created a YouTube clip which shows the deceptive advertising and signup processes being used, directing users to the fake trading platforms – 

Related links: