A sophisticated ad fraud scheme dubbed "SubdoMailing" has emerged, leveraging over 8,000 legitimate internet domains and 13,000 subdomains to dispatch up to five million emails daily. Orchestrated by threat actors, the campaign aims to generate revenue through scams and malvertising tactics.
The modus operandi of "SubdoMailing" involves hijacking abandoned subdomains and domains of well-known companies, including MSN, VMware, McAfee, The Economist, and others. Exploiting the credibility of these domains enables malicious emails to bypass spam filters and authentication protocols like SPF and DKIM, thereby appearing legitimate to secure email gateways.
Upon clicking embedded buttons in the emails, recipients are redirected through a series of manipulative tactics, leading to fake giveaways, security scans, surveys, or affiliate scams. Guardio Labs researchers Nati Tal and Oleg Zaytsev uncovered the operation, which has been active since 2022.
The campaign employs various techniques to hijack domains, including CNAME hijacking and exploitation of SPF records. By scanning for subdomains with CNAME records pointing to unregistered external domains or exploiting SPF include options, threat actors gain control over email servers, making their messages seem authentic.
Attributed to a threat actor named "ResurrecAds," the operation continually refreshes a vast network of hijacked domains, SMTP servers, and IP addresses to sustain its scale and complexity. It utilizes nearly 22,000 unique IPs, including residential proxies, to disseminate fraudulent emails globally.
Guardio Labs emphasizes the campaign's enormity, with over five million fraudulent emails reaching targets daily. To combat the scheme, they've developed a SubdoMailing checker site for domain owners to detect abuse and take corrective measures.
The SubdoMailing campaign underscores the persistent challenges posed by cybercriminals and highlights the critical importance of robust security measures to protect against evolving threats in the digital landscape.
