Over 13,000 names and more than 8,000 domains that belong to real brands and institutions have been taken over as part of a complex plan to spread spam and make money from clicks.
Under the name SubdoMailing, Guardio Labs is keeping an eye on the planned bad behavior that has been going on since at least September 2022. The emails are “counterfeit package delivery alerts to outright phishing for account credentials.”
You may be interested in: Crafting A Robust Incident Response Plan
The Israeli security company said the campaign was run by a threat actor called ResurrecAds. This group is known to bring dead domains of big brands or those connected to them back to life in order to manipulate the digital advertising environment for bad reasons.
Nati Tal and Oleg Zaytsev, two security experts, told The Hacker News in a report that “ResurrecAds” runs a large infrastructure that includes many hosts, SMTP servers, IP addresses, and even private residential ISP connections, as well as many other owned domain names.
Particularly, the effort “leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day, cunningly using their credibility and stolen resources to slip past security measures.”
These sites belong to or are connected to well-known companies and brands, including ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, and VMware.
The campaign is notable for being able to get around normal security blocks. The whole thing was designed to look like an image to get around text-based spam filters, and clicking on it starts a chain of redirects through different domains.
“These redirects check your device type and geographic location, leading to content tailored to maximize profit,” the researchers said.
“This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly.”
Another important thing about these emails is that they can get around Sender Policy Framework (SPF), a method of email authentication that stops spoofing by making sure a mail server is allowed to send email for a certain address.
The emails pass more than just SPF checks. They also pass DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks, which help keep messages from being marked as spam.
Guardio showed an example of a fake email warning about cloud storage. The message came from an SMTP server in Kyiv but was marked as coming from [email protected].
A closer look at the DNS record for marthastewart.msn.com showed that the subdomain is linked to another domain (msnmarthastewartsweeps[.]com) by a CNAME record. This is an aliasing method that has been used by advertising tech companies to get around third-party cookie blocking in the past.
“This means that the subdomain inherits the entire behavior of msnmarthastewartsweeps[.]com , including its SPF policy,” the researchers stated. “In this case, the actor can send emails to anyone they wish as if msn[.]com and their approved mailers sent those emails!”
In this case, it’s important to note that both sites were real and briefly used in 2001, but then they were left inactive for 21 years. Namecheap didn’t open msnmarthastewartsweeps[.]com to the public until September 2022.
Another way that hacking is done is by threat actors searching for long-forgotten subdomains with CNAME records of expired domains and then registering them to take control of them.
CNAME-takeover can also be very bad if well-known names are used to host fake phishing landing pages that are meant to steal users’ login information. However, there is no proof that any of the subdomains that were taken over have been used for this.
Guardio also said that it had found cases where the DNS SPF record of a known domain held abandoned domains linked to old email or marketing services. This meant that attackers could take control of these domains, add their own IP addresses to the record, and then send emails as the main domain name.
Guardio has made a website called SubdoMailing Checker available so that domain administrators and site owners can look for signs of compromise. This is done to stop the danger and take down the infrastructure.
“This operation is meticulously designed to misuse these assets for distributing various malevolent ‘Advertisements,’ aiming to generate as many clicks as possible for these ‘ad network’ clients,” the researchers stated.
“Armed with a vast collection of compromised reputable domains, servers, and IP addresses, this ad network deftly navigates through the malicious email propagation process, seamlessly switching and hopping among its assets at will.”
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.