新型DNS劫持技术被用于投资诈骗

A new DNS threat actor dubbed Savvy Seahorse is leveraging sophisticated techniques to entice targets into fake investment platforms and steal funds.

一个名为Savvy Seahorse的新DNS威胁行为者正在利用复杂的技术诱使目标进入虚假投资平台并窃取资金。

"Savvy Seahorse is a DNS threat actor who convinces victims to create accounts on fake investment platforms, make deposits to a personal account, and then transfers those deposits to a bank in Russia," Infoblox said in a report published last week.

Infoblox在上周发布的一份报告中表示：“Savvy Seahorse是一个DNS威胁行为者，他说服受害者在虚假投资平台上创建账户，向个人账户存款，然后将这些存款转移到俄罗斯的一家银行。”

Targets of the campaigns include Russian, Polish, Italian, German, Czech, Turkish, French, Spanish, and English speakers, indicating that the threat actors are casting a wide net in their attacks.

这些活动的目标包括俄罗斯、波兰、意大利、德国、捷克、土耳其、法国、西班牙和英语讲者，表明威胁行为者在攻击中铺设了广泛的网。

Users are lured via ads on social media platforms like Facebook, while also tricking them into parting with their personal information in return for alleged high-return investment opportunities through fake ChatGPT and WhatsApp bots.

用户通过社交媒体平台上的广告被诱骗，同时被骗交出个人信息，以换取所谓的高回报投资机会，通过虚假的ChatGPT和WhatsApp机器人。

The financial scam campaigns are notable for using DNS canonical name (CNAME) records to create a traffic distribution system (TDS), thereby allowing threat actors to evade detection since at least August 2021.

这些金融诈骗活动以使用DNS规范名称（CNAME）记录来创建一种流量分发系统（TDS）而引人注目，从至少2021年8月起，威胁行为者可以逃避检测。

A CNAME record is used to map a domain or subdomain to another domain (i.e., an alias) instead of pointing to an IP address. One advantage with this approach is that when the IP address of the host changes, only the DNS A record for the root domain needs to be updated.

CNAME记录用于将域或子域映射到另一个域（即别名），而不是指向IP地址。采用这种方法的一个优点是当主机的IP地址更改时，只需要更新根域的DNS A记录。

Savvy Seahorse leverages this technique to its advantage by registering several short-lived subdomains that share a CNAME record (and thus an IP address). These specific subdomains are created using a domain generation algorithm (DGA) and are associated with the primary campaign domain.

Savvy Seahorse利用这一技术优势注册了几个短期子域，这些子域共享CNAME记录（因此共享IP地址）。这些特定的子域是使用域生成算法（DGA）创建的，并与主要的活动域关联。

The ever-changing nature of the domains and IP addresses also makes the infrastructure resistant to takedown efforts, allowing the threat actors to continuously create new domains or alter their CNAME records to a different IP address as their phishing sites are disrupted.

域名和IP地址的不断变化也使基础设施抵抗关闭的努力，使威胁行为者能够持续创建新域或将其CNAME记录更改为不同的IP地址，因为他们的网络钓鱼网站被打断。

While threat actors like VexTrio have used DNS as a TDS, the discovery marks the first time CNAME records have been used for such purposes.

尽管像VexTrio这样的威胁行为者已经将DNS用作TDS，但这一发现标志着首次使用CNAME记录用于此类目的。

Victims who end up clicking the links embedded on Facebook ads are urged to provide their names, email addresses, and phone numbers, after which they are redirected to the bogus trading platform for adding funds to their wallets.

最终点击Facebook广告中嵌入的链接的受害者被敦促提供他们的姓名、电子邮件地址和电话号码，之后他们被重定向到虚假的交易平台为其钱包添加资金。

"An important detail to note is the actor validates the user's information to exclude traffic from a predefined list of countries, including Ukraine, India, Fiji, Tonga, Zambia, Afghanistan, and Moldova, although their reasoning for choosing these specific countries is unclear," Infoblox noted.

Infoblox指出：“一个重要的细节是行为者验证用户信息，以排除来自预定义国家的流量，包括乌克兰、印度、斐济、汤加、赞比亚、阿富汗和摩尔多瓦，尽管他们选择这些特定国家的原因尚不清楚。”

The development comes as Guardio Labs revealed that thousands of domains belonging to legitimate brands and institutions have been hijacked using a technique called CNAME takeover to propagate spam campaigns.

此举发生在Guardio Labs披露成千上万属于合法品牌和机构的域名已被利用一种称为CNAME接管的技术劫持，以传播垃圾邮件活动之际。

---

参考资料

[1]https://thehackernews.com/2024/03/cybercriminals-using-novel-dns.html

---

原文始发于微信公众号（知机安全）：新型DNS劫持技术被用于投资诈骗