EBay, VMware, McAfee Sites Hijacked in Sprawling Phishing Operation
Trusted brands like The Economist are also among the 8,000 entities compromised by Operation SubdoMailing, which is at the heart of a larger operation of a single threat actor.
Attackers have compromised more than 8,000 subdomains from well-known brands and institutions to mount a sprawling
phishing
campaign that sends malicious emails numbering in the millions each day.
MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay are among the entities caught up in SubdoMailing — named by researchers from Guardio Labs who discovered the campaign, which is at the heart of a larger cybercriminal undertaking and undermines the trust and credibility of the compromised organizations, they said.
The uncovered operation involves the manipulation of thousands of hijacked sub-domains belonging to or affiliated with big brands, head of Guardio Labs-Cybersecurity Nati Tal and security researcher Oleg Zaytsev
wrote in a post
on the content-sharing platform Medium. Complex DNS manipulations for these domains allowed the dispatch of vast quantities of spammy and just outright malicious emails, falsely authorized under the guise of internationally recognized brands.
The campaign is crafted in such a way that emails appear to come from trusted domains and bypass all the industry-standard
email-security measures
typically in place to block suspicious messages, including Sender Policy Framework (SPF), DKIM, SMTP Server, and
DMARC
,
the researchers said.
Guardio breaks down in detail in the post how it uncovered the operation after its email protection systems flagged an email for unusual patterns in email metadata. It sent the researchers down a rabbit hole that ultimately led to a long-defunct partnership between lifestyle guru Martha Stewart and MSN.com.
The example cited was a particularly insidious email alerting someone of purported suspicious activity within a cloud storage account that ended up in a users Primary inbox when it should have been flagged as spam.
The email — created as an image to avoid text-based spam filters — triggers a series of click-redirects through different domains that is typical of phishing campaigns. The redirects in this case check a victims device type and geographic location, and lead them to various content tailored to maximize profit, such as ads, affiliate links that lead to quiz cams, phishing sites, or even malware.
When following the trail of how the email slipped past security scanning and protections, the researchers found what they deemed a classic subdomain
hijacking scheme
. While the email originated from 62.244.33.18, an SMTP server in Kyiv, it was flagged as being sent from [email protected].
This would on the surface seem legitimate, the researchers noted; however, in the scenario, a subdomain of msn.com authorized the SMTP server at 62.244.33.18 to send emails, which calls into question the legitimacy of this approval process, they said.
Upon closer examination of the DNS record for the subdomain marthastewart.msn.com, the researchers found it was linked to yet another domain with that CNAME record, msnmarthastewartsweeps.com. This means that that the subdomain inherits the entire behavior of msnmarthastewartsweeps.com, including its SPF policy, according to the post.
Investigating further found that the SPF policy uses a syntax that allows expanding the IP list of approved senders using other domains SPF records. When they recursively queried the SPF record, they found a list of 17,826 IPs, among them 62.244.33.18, basically allowing approval of all those addresses under the hijacked MSN.com subdomain. This ultimately allows emails sent from these domains to pass other protections as well, the researchers said.
Guardio eventually tracked the msnmarthastewartsweeps.com subdomain to a promotional sweepstakes campaign from 22 years ago. Though the domain was abandoned for 21 years, it was privately registered again with Namecheap in September 2022.
Now, the domain is owned by a specific actor that has control over its DNS records and, as a consequence, controls the MSN subdomain record as well, the researchers wrote. So, in this case, the actor can send emails to anyone they wish as if msn.com and their approved mailers sent those emails.
Guardio attributes the extensive campaign to a threat actor tracked as ResurrecAds, which employs the strategy of reviving dead domains of/or affiliated with big brands to use as backdoors to exploit legitimate services and brands toward the ultimate goal of profiting as an Ad-Network entity.
This approach enables them to circumvent contemporary email protection measures, showcasing their adeptness at manipulating the digital advertising ecosystem for nefarious gains, the researchers wrote.
As part of their malicious activity, the actor continuously scans the Internet for forgotten subdomains of respectable brands to identify opportunities to purchase or compromise them for malicious email dissemination, according to Guardio.
In this mission, ResurrecAds has amassed a vast network of both hijacked and deliberately acquired domain and IP assets, indicating a high level of organization and technical sophistication in maintaining this broad scale of operations, the researchers said.
The campaign demonstrates the
growing sophistication
of malicious email campaigns, which have been around since nearly the inception of this form of digital communication but continue to evolve as security protections such as SPM, DKIM, and DMARC also evolve and are more widely applied by defenders.
Our research has revealed that threat actors are not merely reacting to security measures; they’ve been
proactively adapting
and evolving for some time, the researchers wrote.
Because the operation is so rampant and still active, Guardio created
a special website
with a tool, SubdoMailing Checker, for checking whether a sites abandoned domain is being used in the operation.
The page is updated daily with the latest domains impacted by CNAME- and SPF-based hijacking, as detected by Guardios systems, and gives organizations all the details of known abuses, type of hijack, and relevant sub-domains and SPF records in need of attention, the researchers explained.
Tags:
EBay, VMware, McAfee Sites Hijacked in Sprawling Phishing Operation