Recently, a large-scale ad fraud campaign called "subdomailing" is using more than 8000 legitimate Internet domain names and 130,000 subdomains send spam in large numbers, with up to 5 million emails sent per day, used to monetize scams and malvertising.
Among the businesses whose domain names have been hijacked are well-known brands such as MSN, VMware, McAfee, The Economist, Cornell University, CBS, NYCGOV, PwC, Pearson, United Nations Children**, American Civil Liberties Union, Symantec, J**Anet, marvel, and ebay, among others.
Malicious emails sent from the domains and subdomains of these well-known brands can bypass spam filters. In addition, bad actors use SPF and DKIM email tactics to trick secure email gateways into identifying these emails as legitimate.
By detecting anomalous patterns in email metadata, researchers Nati Tal and Oleg Zaytsev at Guardio Labs finally uncovered this massive subdomain hijacking operation and reported that the campaign has been going on since 2022.
A case study of MSN Domain Misdelegation Spam shows that attackers use a variety of attack methods to make emails appear legitimate and evade detection and filtering: including abusing SPF (Sender Policy Framework) checks, DKIM (DomainKeys Identified Mail), and DMARC (Domain Based Message Based Authentication, Reporting, and Conformance) protocols.
A combination tactic for subdomailing to hijack domains to send spam **Guardio Labs
For domains and subdomains of reputable businesses, Subdomailing campaigns exploit these two methods primarily through CNAME attacks and SPF records to commit domain hijacking.
In a CNAME attack, the attacker scans for subdomains of well-known brands, where CNAME records point to external domains that are no longer registered. They then register these domains on their own through the Namecheap service.
Exploit the CNAME attack to hijack the domain **Guardio Labs
In the second method, a domain hijacking attack using SPF records, the include option of the SPF record is used to import allowed email senders from the external domain, and the attacker first looks for the presence of an expired registration domain in the external domain name pointed by the "include:" option in the target domain's SPF record.
The attacker then registers an invalid external domain name in the SPF record and changes its SPF record to authorize their own malicious email server (using the hijacked domain name as the email address). This makes the attacker's emails appear to legitimately come from a reputable domain name.
Hijacking the domain name using SPF records with **Guardio Labs
Guardio Labs blames the massive domain hijacking campaign on a threat actor codenamed "Resurrecads," who systematically scans networks for potentially hijacked domains and makes targeted purchases.
Threat actors are constantly updating this vast network of hijacked domains, SMTP servers, and IP addresses to maintain the size and sophistication of the spam email campaign. Guardio Labs says that SubdoMailing used nearly 220,000 dedicated IPs, 1,000 of which appear to be from home networks.
Subdomailing's operational scale and distribution is Guardio Labs
Currently, SubdoMailing mass spam campaigns operate through globally distributed SMTP servers that operate through a network of 8000 domain names and 1A vast network of 30,000 subdomains sends more than 5 million fraudulent emails every day.
To make it easier for businesses to check if a domain name has been hijacked, Guardio Labs has developed a SubdoMailing check**(
Reference Links: