eBay, VMware and McAfee sites hacked in extensive phishing operations

The attackers compromised more than 8,000 subdomains of well-known brands and institutions to organize a vast phishing campaign that sends millions of malicious emails every day.

MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel and eBay are among the entities involved in “SubdoMailing,” named by the Guardio Labs researchers who uncovered the campaign, which is at the heart of a cybercriminal enterprise wider and undermines the trust and credibility of compromised organisations, they said.

“The uncovered operation involves the manipulation of thousands of hijacked subdomains belonging to or affiliated with large brands,” said Guardio Labs-Cybersecurity head Nati Tal and security researcher Oleg Zaytsev he wrote in a post on the content sharing platform Medium. “Complex DNS manipulations for these domains allowed the sending of large amounts of spam and simply malicious emails, falsely authorized under the guise of internationally recognized brands.”

The campaign is crafted in such a way that the emails appear to come from trusted domains and bypass all industry standards email security measures typically in place to block suspicious messages, including Sender Policy Framework (SPF), DKIM, SMTP servers and DMARC, the researchers said.

Uncovering the hijacking scheme

Guardio details in the post how he discovered the operation after his email security systems flagged an email for unusual patterns in the email’s metadata. He sent researchers down a rabbit hole that eventually led to a now-defunct partnership between lifestyle guru Martha Stewart and MSN.com.

The example cited was “a particularly insidious email” alerting someone to alleged suspicious activity within a cloud storage account that ended up in a user’s “Primary” inbox when it should have been marked as spam.

The email, created as an image to avoid text-based spam filters, triggers a series of click redirects across different domains, typical of phishing campaigns. Redirects in this case check the victim’s device type and geographic location and lead them to various content tailored to maximize profit, such as advertisements, affiliate links leading to cam quizzes, phishing sites, or even malware.

By tracking how the email managed to slip past security scans and protections, researchers discovered what they considered a “classic subdomain” hijacking scheme.” Although the email came from 62.244.33.18, an SMTP server in Kiev, it was marked as sent by [email protected].

At first glance this would seem legitimate, the researchers noted; However, in this scenario, a subdomain of msn.com has authorized the SMTP server 62.244.33.18 to send emails, which calls into question the legitimacy of this approval process, they said.

Upon closer examination of the DNS record for the marthastewart.msn.com subdomain, researchers discovered that it was linked to another domain with the same CNAME record, msnmarthastewartsweeps.com. This means that “the subdomain inherits the entire behavior of msnmarthastewartsweeps.com, including its SPF policy,” according to the post.

Upon further investigation, the SPF policy uses a syntax that allows you to expand the IP list of approved senders using SPF records from other domains. When they recursively queried the SPF record, they found a list of 17,826 IPs, including 62.244.33.18, essentially allowing all of those addresses to be approved under the hijacked MSN.com subdomain. This ultimately allows emails sent from these domains to bypass other protections as well, the researchers said.

Guardio eventually tracked the msnmarthastewartsweeps.com subdomain to a 22-year-old sweepstakes promotional campaign. Although the domain has been abandoned for 21 years, it was re-registered privately with Namecheap in September 2022.

“Now, the domain is owned by a specific actor who has control over its DNS records and, consequently, also controls the MSN subdomain record,” the researchers wrote. “So, in this case, the actor can send emails to anyone he wants as if msn.com and its approved mailers were sending those emails.”

Single threat actor

Guardio attributes the extensive campaign to a threat actor identified as “ResurrecAds”, which employs the strategy of reviving “dead” domains of/or affiliated with large brands to be used as a backdoor to exploit legitimate services and brands with the ultimate goal to profit as an “Ad Network” Entity.

“This approach allows them to bypass current email security measures, demonstrating their ability to manipulate the digital advertising ecosystem for nefarious gains,” the researchers wrote.

According to Guardio, as part of its malicious activity, the actor continuously scans the Internet for forgotten subdomains of reputable brands to identify purchasing opportunities or compromise them for spreading malicious emails.

In this mission, ResurrecAds amassed “a vast network of hijacked and deliberately acquired IP domains and assets, indicating a high level of organization and technical sophistication in maintaining this large scale of operations,” the researchers said.

Verification of the compromise

The campaign demonstrates the growing sophistication of malicious email campaigns, which have existed almost since the inception of this form of digital communication but continue to evolve as security protections such as SPM, DKIM and DMARC also evolve and are more widely applied by defenders.

“Our research revealed that threat actors don’t just react to security measures; they have adapting proactively and evolving for some time,” the researchers wrote.

Because the operation is so rampant and still active, Guardio created a special website with a tool, SubdoMailing Checker, to check if a site’s abandoned domain is used in the operation.

The page is updated daily with the latest domains affected by the CNAME and SPF-based hijacking, detected by Guardio’s systems, and provides organizations with “full details of known abuse, type of hijacking and relevant subdomains and SPF records in need of be careful,” the researchers explained.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *