27 February 2024

Large-scale spam operation hijacks over 8K subdomains of trusted brands


Large-scale spam operation hijacks over 8K subdomains of trusted brands

Researchers at Guardio Labs have uncovered a sprawling cyber operation dubbed “SubdoMailing,” which has hijacked over 8,000 domains belonging to esteemed brands and institutions to disseminate massive volumes of spam and malicious phishing emails daily, effectively circumventing security measures.

The operation, which has been active for at least two years, involves the manipulation of thousands of hijacked subdomains affiliated with recognized brands like Marvel, Columbia, EasyJet, VMware, and others.

The attackers use various tactics to make their emails appear legitimate and evade security measures, including abusing the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols.

The threat actor employs methods such as CNAME hijacking and SPF record exploitation. In CNAME attacks, the threat actors identify subdomains with CNAME records pointing to unregistered external domains, which they then register themselves. Additionally, SPF-Takeover involves exploiting abandoned domains in SPF records, allowing the injection of malicious IPs using the legitimate domain name as the sender.

Guardio Labs has attributed this campaign to a threat actor they track as “ResurrecAds,” who systematically scans the internet for vulnerable domains, purchasing domains, securing hosts and IP addresses, and meticulously executing the ongoing spam campaign. This indicates a high level of organization and technical sophistication.

“Central to their operation is the strategy of reviving “dead” domains of or affiliated with big brands, using them as backdoors to exploit legitimate services and brands. This approach enables them to circumvent contemporary email protection measures, showcasing their adeptness at manipulating the digital advertising ecosystem for nefarious gains,” the researchers wrote.


Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024