Skip to content Skip to footer

Over 8,000 domains belonging to reputable brands have been seized for use in a large-scale spam operation.

Guardio Labs has discovered that over 8,000 domains and 13,000 subdomains belonging to legitimate brands and institutions have been hijacked in a coordinated, malicious campaign that has been ongoing since at least September 2022. The campaign, which Guardio Labs has named SubdoMailing, is designed to increase spam and generate clicks for monetization purposes. The emails range from counterfeit package delivery alerts to outright for account credentials.

The campaign has been attributed to a threat actor, ResurrecAds, known for “resuscitating” dead domains affiliated with big brands to manipulate the digital advertising ecosystem for nefarious gain. ResurrecAds manages an extensive infrastructure comprising various hosts, SMTP servers, IP addresses, private residential ISP connections, and numerous owned domain names.

These subdomains are affiliated with big brands and organizations such as ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, and VMware. The campaign leverages the trust associated with these domains to circulate spam and malicious emails by the millions daily, using their credibility and stolen resources to evade security measures.

The campaign is notable for bypassing standard security blocks, with the entire email body conceived as an image to evade text-based spam filters. Clicking on the image initiates a series of redirections through different domains. These redirects check the device type and geographic location, leading to content tailored to maximize profit. This could range from an annoying ad or affiliate link to more deceptive tactics like quiz scams, sites, or even a download to trick the recipient out of their money.

Another crucial aspect of these emails is that they can circumvent the Sender Policy Framework (SPF), an email authentication method designed to prevent spoofing by ensuring a mail server can send email to a given domain. The emails also pass DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks that help prevent messages from being marked as spam.

Sometimes, the subdomains are linked to other domains using a CNAME record. Advertising companies have previously weaponized this aliasing technique to avoid third-party cookie blocking. This means that the subdomain inherits the entire behavior of the other domain, including its SPF policy. In this case, the actor can email anyone they wish, as if the domain and their approved mailers sent those emails.

The hijacking scheme entails the threat actors systematically scanning for long-forgotten subdomains with dangling CNAME records of abandoned domains and then registering them to take control of them. CNAME-takeover can also have serious consequences when such reputed subdomains are seized to host bogus landing pages designed to harvest users' credentials. However, no evidence exists that hijacked subdomains have been used for this purpose.

Guardiola has made available a SubdoMailing Checker, a website that enables domain administrators and site owners to look for signs of compromise. The researchers said this operation is meticulously designed to misuse these assets for distributing various malevolent “advertisements,” aiming to generate as many clicks as possible for these “ad network” clients. Armed with a vast collection of compromised reputable domains, servers, and IP addresses, this ad network deftly navigates through the malicious email propagation, seamlessly switching and hopping among its assets at will.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.