Rewterz Threat Update – Over 8000 Legitimate Domains Compromised for Sophisticated Spam Campaign

Severity

High

Analysis Summary

More than 8,000 domains and 13,000 subdomains belonging to trusted institutions and brands have been hijacked as part of a massive and advanced spam distribution campaign for click monetization. This malicious activity has been ongoing since at least September 2022, tracked by the name SubdoMailing.

The researchers have linked the campaign to a threat actor known as ResurrecAds that has revived dead domains belonging to or affiliated with famous brands in the past, with the main aim of manipulating the digital advertising ecosystem for malicious purposes and gaining illicit money. ResurrecAds is responsible for managing an extensive infrastructure that contains a variety of hosts, IP addresses, SMTP servers, and private residential ISP connections as well as multiple additional owned domain names.

The campaign has been observed to take advantage of the trust that is associated with these domains for sending out millions of malicious and spam phishing emails every day, the credibility and stolen resources allowing the emails to evade detection as well. Most of these subdomains are either affiliated with or belong to known organizations and brands like eBay, ACLU, Marvel, Lacoste, McAfee, Pearson, MSN, PwC, Symantec, Swatch, UNICEF, The Economist, and VMware, among many others. The campaign is mainly notable for its ability to fly under the radar of standard security blocks, having the entire message body conceived as an image for evading text-based spam filters. Upon being clicked, it initiates a series of redirections through various domains.

“These redirects check your device type and geographic location, leading to content tailored to maximize profit. This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly,” said the researchers.

These malicious emails are also able to circumvent the Sender Policy Framework (SPF), which is a method for email authentication made to prevent spoofing by making sure a mail server is authorized to send the email to a specified domain. Not only that, but the mail can also pass Domain-based Message Authentication, Reporting, and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) checks that are responsible for preventing messages from being marked as spam.

In an example of a deceptive cloud storage warning email, the message came from an SMTP server located in Kyiv. An examination of the DNS record showed that the subdomain is attributed to another domain using a CNAME record, an aliasing technique previously leveraged by advertising technology companies to bypass third-party cookie blocking. It is also worth noting that both the domains used to be legitimate and were active for a short while in 2001 before being abandoned for about 21 years.

In other words, this advanced hijacking scheme makes it necessary for the attackers to systematically scan for forgotten subdomains with dangling CNAME records of abandoned domains and then register them to take over them. The takeover of CNAME can also prove to have serious consequences when these trusted subdomains are compromised to host fake phishing landing pages that are made to steal users’ credentials. However, there is no evidence that any of the seized subdomains have been leveraged this way.

Security researchers also found instances where a known domain’s DNS SPF record contains abandoned domains that are linked with defunct emails, allowing the threat actors to obtain the ownership of such kind of domains and inject their IP addresses into the record to finally send emails impersonating the main domain name. To counter the threat, a SubdoMailing Checker has been made public that allows domain administrators and site owners to find signs of compromise.

Impact

• Identity Theft
• Credential Theft
• Exposure to Sensitive Data

Remediation

• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Implement ongoing phishing awareness training for partners and staff.
• Implement a web application firewall to filter out malicious traffic and protect against common web-based threats. 
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Be vigilant and thoroughly check the URL to see if it’s legitimate before downloading apps.