SubdoMailing Exposé: Massive Domain Hijacking Campaign Used for Ad Fraud, Malvertising, Phishing Emails
Researchers at Guardio Labs have discovered a massive email ad fraud campaign based on thousands of hijacked domains and subdomains. Threat actors are carrying out SPF-hijacking to bypass spam security by leveraging legitimate domains to send millions of emails for malvertising and click scams for at least 16 months.
- Researchers at Guardio Labs have discovered a massive email ad fraud campaign based on thousands of hijacked domains and subdomains.
- Threat actors are leveraging legitimate domains to send millions of emails for malvertising and click scams.
As many as 8,000 internet domains and 13,000 subdomains, all legitimate, have been hijacked as part of the SubdoMailing campaign wherein attackers have been sending five million emails per day, according to Nati Tal and Oleg Zaytsev of Guardio Labs.
Under the malicious campaign, the threat actors have enumerated and impersonated multiple high-profile brands such as Marvel, PwC, The Economist, UNICEF, eBay, MSN, VMware, McAfee, Symantec, Lacoste, Swatch, Java, CBS, and more.
Malachi Walker, Security Advisor at DomainTools, told Spiceworks, “Online brand fraud costs companies over $1 trillion worldwide annually. Being the organization impersonated can also cause significant damage to its reputation. Companies that register a great number of specialized domains for temporary reasons, such as a marketing campaign, can expose themselves to the risk of those legitimate domains being compromised at the end of their lifecycle if they do not maintain the security settings.”
The attackers rely on the authority of these domains and subdomains to lend their malicious emails, often laden with ads, affiliate links, quiz scams, phishing sites, or malware, an air of legitimacy, enabling the emails to bypass security gateways such as ender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
The attackers do this by scouring the web for forgotten domains that have dangling CNAME records of a well-known abandoned brand domain, re-registering and controlling them.
SubdoMailing Campaign Domain Hacking
Source: Guardio Labs
See More: Spyware Firms Targeting Windows, Android, and iOS Warns Meta
After exploiting CNAME and hijacking SPF, the threat actors send mass emails through SMTP servers they host based on the hijacked subdomains. “The threat actors are using clever tactics utilizing known but rarely used aspects of subdomains at a scale we have not seen before,” Max Gannon, Cyber Intelligence Analysis Manager at Cofense, told Spiceworks.
“We know that it is possible to exploit an SPF record to authorize a malicious email server, but the amount of effort required is usually not something threat actors are willing to invest in. This takes a fair amount of knowledge that normal threat actors simply don’t have.”
The sophistication of the campaign is also evident from the fact that the attackers leverage an image-based to bypass text spam filters and that if the target clicks on the link, they are redirected through a series of domains to ascertain their location and device type to deliver tailored content for maximum results.
ResurrectAds Ecosystem
Source: Guardio Labs
The researchers attributed the SubdoMailing campaign, which has been ongoing since September 2022, to ResurrecAds. “The evidence we’ve gathered points to the likelihood of a single main threat actor behind this extensive operation,” the researchers noted.
“This entity appears to be systematically scanning the internet for vulnerable domains, identifying opportunities, purchasing domains, securing hosts and IP addresses and then meticulously orchestrating the ongoing campaign of email dissemination. This involves a vast network of both hijacked and deliberately acquired domain and IP assets, indicating a high level of organization and technical sophistication in maintaining this broad scale of operations.”
SubdoMailing Campaign by the Numbers
Source: Guardio Labs
Check if ResurrecAds has victimized your domain on Guardio Labs’ SubdoMailing checker tool.
“Security teams can combat this by noting all domains their organizations are registering, identifying if domains intend to be temporarily or permanently registered by those looking to create these domains for the organization, and monitoring for when domains are becoming active in their most recent lifecycle,” Walker added.
“Some large organizations have found success by ordering all domains they manage from newest listed to oldest to help identify any unusual activity.”
What can organizations do to avoid SPF hijacking? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERSECURITY
