Thousands of Subdomains Hijacked in Sprawling Phishing Operation

Thousands of Subdomains Hijacked in Sprawling Phishing Operation

In a shocking revelation, it has been discovered that several well-known brands and institutions, including eBay, VMware, McAfee, and MSN, have fallen victim to a sophisticated phishing operation. Attackers have managed to compromise over 8,000 subdomains belonging to these organizations, enabling them to launch a massive phishing campaign that sends out millions of malicious emails each day. This operation, known as "SubdoMailing," not only undermines the trust and credibility of these renowned brands but also exposes the vulnerabilities in email-security measures.

The Elaborate Hijacking Scheme:
Researchers from Guardio Labs uncovered this sprawling phishing operation, which involves the manipulation of hijacked subdomains affiliated with major brands. The attackers employ complex DNS manipulations to send out spammy and malicious emails, masquerading as internationally recognized brands. What makes this campaign particularly dangerous is its ability to bypass industry-standard email-security measures, including Sender Policy Framework (SPF), DKIM, SMTP Server, and DMARC.

The Detection of the Phishing Campaign:
Guardio Labs detected the phishing campaign by finding unusual patterns in the metadata of an email. The investigation led them to a defunct partnership between lifestyle guru Martha Stewart and, where a subdomain hijacking scheme was employed. By using click-redirects, the attackers conducted geolocation and device checks to direct victims to tailored content such as ads, affiliate links, phishing sites, or even malware.

Exploiting Legitimate Services and Brands:
The extensive campaign has been attributed to a threat actor named "ResurrecAds." This actor specializes in reviving "dead" domains associated with significant brands to exploit legitimate services and brands, ultimately profiting as an "Ad-Network" entity. By continuously scanning the Internet for forgotten subdomains, ResurrecAds identifies opportunities to compromise or purchase domains for malicious email dissemination. Such a broad-scale operation indicates a high level of organization and technical sophistication.

The State of Email Security:
This phishing operation demonstrates the evolving sophistication of malicious email campaigns. Threat actors are not merely reacting to security measures but proactively adapting and evolving their tactics. While security measures like SPF, DKIM, and DMARC have been widely applied, attackers have found ways to circumvent them, posing a serious challenge for defenders.

Guardio's Efforts:
In response to the rampant and ongoing phishing operation, Guardio has launched a specialized website with a tool called SubdoMailing Checker. This tool allows organizations to check whether their abandoned domains are being exploited in the phishing campaign. The website is updated daily with the latest impacted domains, providing details on the type of hijack, subdomains in need of attention, and relevant SPF records.

The recent discovery of a sprawling phishing operation targeting thousands of subdomains belonging to renowned brands highlights the lengths to which threat actors will go to deceive users and exploit vulnerabilities. This incident serves as a stark reminder for organizations and individuals to remain vigilant and implement robust security measures to protect against phishing attempts. As the sophistication of malicious campaigns continues to evolve, the cybersecurity community must stay one step ahead to ensure the safety and integrity of online interactions.


Dark Reading: eBay, VMware, McAfee Sites Hijacked in Sprawling Phishing Operation

Published on 
February 29, 2024
Share This