SubdoMailing phishing campaigns exploit the trust in major brands by hijacking their subdomains to flood inboxes with malicious emails.
Key Takeaways
- Over 8,000 domains and 13,000 subdomains of notable brands have been seized in a complex spam and click monetization scheme named SubdoMailing.
- The scam ranges from sending counterfeit package delivery alerts to phishing for account credentials, exploiting the stolen legitimacy of well-known brands to bypass security measures.
- The operation is linked to ResurrecAds, an entity that revives inactive domains of major brands to misuse the online advertising ecosystem, equipped with an extensive network of technological resources.
- The hijacked domains, affiliated with organizations like ACLU, eBay, and Marvel, are used to distribute millions of deceptive emails, capitalizing on their reputations to trick recipients.
- The campaign bypasses standard security by embedding email content in images, which, upon clicking, redirect to potentially harmful sites, evading SPF, DKIM, and DMARC detections.
Over 8,000 domains and 13,000 subdomains of well-known brands have been confiscated in a complex scheme for spreading spam and generating revenue through clicks. Guardio Labs has been closely monitoring this operation, dubbed SubdoMailing, which has been active since September 2022. The scam involves emails ranging from fake package notifications to phishing attempts to steal login details.
Stay One Step Ahead of Cyber Threats
This operation is traced back to a group called ResurrecAds. This group specializes in reviving inactive domains once associated with major brands to exploit the online advertising system for malicious purposes. ResurrecAds has set up an extensive network to support its activities, including numerous hosts, SMTP servers, IP addresses, and even connections via private residential ISPs.
The campaign takes advantage of the credibility of these hijacked domains to send out millions of spam and phishing emails daily, evading security measures with ease. Among the compromised domains are those affiliated with well-known organizations such as ACLU, eBay, Lacoste, Marvel, and others, cleverly leveraging their reputation.
A notable tactic of this operation is its method to bypass conventional security measures by presenting the entire email content as an image, which, upon clicking, redirects through various domains based on the recipient’s device type and location, potentially leading to scam ads, phishing sites, or malware.
Furthermore, these emails can evade detection by standard email authentication protocols like SPF, DKIM, and DMARC, thus avoiding being flagged as spam. For example, a misleading cloud storage alert email was traced back to an SMTP server in Kyiv. Still, it appeared to be sent from an MSN-associated email address due to creative manipulation of DNS records.
This sophisticated hijacking strategy involves scanning for forgotten subdomains linked to unused domains and taking them over to control their email-sending capabilities. Attackers could send emails as if they were from the main domain by exploiting outdated SPF records of abandoned domains.
This malicious operation showcases the attackers’ ingenuity in utilizing compromised domains and infrastructure to distribute harmful content and manipulate clicks for profit.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional