In a seemingly impossible act, nearly 8000 domains were discovered to be compromised by threat actors for malicious scam campaigns sending millions of emails every day.
All of these domains belonged to the most reputable brands and institutions, such as MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay, and many others.
This threat activity has been dubbed as “Subdomailing,” with all of these emails bypassing security measures even with security checks of major email providers and reaching users’ inboxes.
You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.
The number of compromised domains associated with this activity is still increasing by 100s daily.
According to the Guardio labs report, this activity was identified due to unusual patterns in email metadata, especially with SMTP servers.
Threat actors behind this activity used complex DNS manipulations, which resulted in the compromise of several domains belonging to reputable brands.
Investigating one of the emails related to this phishing campaign revealed that threat actors cleverly used images instead of text on the body of the email, which bypassed the text-based spam filters.
Clicking on any region of the email redirected the users through several different domains that are found to be used for finding the device type and geographic location and displaying deceptive ads, phishing sites, or even delivering malware.
On analysing further, the headers of the emails provided interesting information that the sample email originated from an SMTP server in Kyiv and was flagged from Return_UlKvw@marthastewart.msn.com.
Most of the large brands use mass mailing services that allow these service providers to send emails on their behalf.
Digging deep on the DNS record of marthastewart.msn.com it was discovered that there was another CNAME record) that used that was linked to this domain.
Additionally, the SPF record of msnmarthastewartsweeps.com showed the following information along with an includes: header, which allows expanding the IP list of approved senders.
This made it clear that all the SPF records of these compromised domains contain several IP addresses.
Recursively querying them revealed that there were more than 17826 IP addresses that threat actors are using under a compromised domain.
To add a brief insight, threat actors have been using abandoned domains with CNAME records used by big brands and were privately registered again by these threat actors.
As these domains were not monitored, threat actors successfully manipulated these domains into sending millions of spam and phishing emails to thousands of users worldwide under the impression of a reputable brand.
To prevent these kinds of massive domain compromise, researchers at Guardio Labs have released a new website, “SubdoMailing,” for domain owners to regain control over their compromised domain.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
In a significant cybersecurity development, Russian state-sponsored hackers, identified as APT28 or Fancy Bear, have…
Android's operating system has identified a critical vulnerability that allows DNS traffic to leak during…
A directory traversal vulnerability (CVE-2024-23334) was identified in aiohttp versions before 3.9.2. This vulnerability allows…
Onur Aksoy, a forty-year-old resident of Florida and dual citizen of Turkey and the United…
Students aren’t alone in having their skills tested in K-12 schools. Education-sector IT teams face…
While injection vulnerabilities are on the rise, Webshells have become a serious concern. They allow…