Malicious Actors Weaponize 8,000 Domains & 13,000 Subdomains in a Phishing Operation

Phishing attacks have become a persistent threat, constantly evolving to bypass security measures. While traditional methods involve creating fake websites to lure victims, a recent large-scale campaign called "SubdoMailing'' sponsored by a malicious actor that goes by the name ResurrecAds, takes a different approach. This campaign, active since September 2022, has compromised over 8,000 domains and 13,000 subdomains belonging to legitimate brands and institutions including ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, and VMware.

Guardio Labs has uncovered this critical threat that exploits the very foundation of the internet's addressing system - the Domain Name System (DNS). The attackers exploit these domains to send out spam emails and generate revenue through clicks, leveraging the domains' credibility to bypass security measures like SPF, DKIM, and DMARC. These are email authentication methods designed to prevent domain spoofing. These emails are disguised as images to avoid spam filters. They then redirect users based on their device and location, potentially leading to phishing sites or malware.

Read more: What is DNS Security and Why it is Important?

How does SubdoMailing work?

SubdoMailing, a method leveraging compromised subdomains of legitimate websites to launch phishing campaigns and deceptive emails.

• Attackers search for subdomains belonging to established brands that have been inactive for a significant period.
• They then register these dormant subdomains, taking advantage of their association with the legitimate brand.
• By inheriting the email authentication records (like SPF) through the CNAME association, attackers can bypass email security measures and make their emails appear legitimate.
• They leverage the compromised subdomains to launch phishing campaigns, sending emails that seem to originate from the trusted brand.

How CNAME records are exploited in SubdoMailing campaigns?

CNAME (Canonical Name) records are used in the Domain Name System (DNS) to map an alias domain name to a canonical domain name. They essentially act as pointers, directing users and applications to the actual location of a resource (like a website or email server) identified by the alias domain.

Attackers leverage CNAME records by identifying and registering long-abandoned subdomains that still hold CNAME entries pointing to legitimate domains. These outdated CNAME entries often reference forgotten domains that no longer actively serve any purpose. By registering the dormant subdomain, attackers inherit the behavior associated with the main domain, including its email authentication records like SPF.

How do attackers abuse SPF Authentication in SubdoMailing?

Sender Policy Framework (SPF) is an email authentication standard that allows domain owners to specify authorized servers permitted to send emails on their behalf. This helps prevent domain spoofing, where attackers forge email sender addresses to impersonate legitimate identities.

By inheriting the SPF record through the compromised subdomain's CNAME association, attackers bypass email security measures that rely solely on SPF authentication. Emails sent from the attacker-controlled subdomain appear to originate from the legitimate domain, allowing them to bypass spam filters and potentially deceive recipients.

Also Read: Understanding SPF: Email Authentication Protocol

The consequences of SubdoMailing Attacks

• Phishing: SubdoMailing attackers use compromised subdomains to send massive amounts of spam emails. These emails can appear legitimate, tricking recipients into clicking malicious links or opening attachments.

• Credential Theft: Phishing emails sent through SubdoMailing often aim to steal login credentials for online accounts. Once stolen, these credentials can be used for identity theft, financial fraud, or further attacks.

• Brand Reputation Damage: When established brands' subdomains are involved in phishing campaigns, it can damage their reputation and erode user trust.

• Email Detection: SubdoMailing leverages subdomains of legitimate brands, making it harder to identify and filter out spam emails. This can lead to a higher chance of users falling victim to the attacks.

How can organizations prevent SubdoMailing attacks?

• Enforce strict access controls and best practices for DNS management.
• Regularly check DNS logs and network traffic for anomalies that might indicate a potential attack.
• Implement multi-layered email security solutions, including SPF, DKIM, and DMARC with strict enforcement policies.
• Conduct regular security awareness training for employees to educate them on phishing attempts and other social engineering tactics.
• Enforce robust password policies & implement multi-factor authentication (MFA).

What makes email authentication protocols essential? Evasive Phishing Attacks Exploiting Accelerated Mobile Pages (AMP)

Implement Email Authentication Protocols with TDMARC

TDMARC simplifies the deployment and management of critical email authentication protocols such as SPF, DKIM, and DMARC, thereby defending your organization from SubdoMailing threats. Managing many email domains' SPF, DKIM, and DMARC records can be time-consuming and error-prone.

Must Read: New Email Security Guidelines Embark Upon the Importance of DMARC