When you think of hijacking, images of thrilling heists might come to mind. But what if we told you there's a different kind of hijacking happening in the digital realm? Guardio Labs, runners-up to GASA’s Best Scam Fighting Tool, recently uncovered a massive 'SubdoMailing' fraud that is using the trust of well-known brands to send millions of malicious emails and phishing attacks each day.
Thanks to the impressive research efforts by Guardio Labs, attention is being given to this scheme. The “SubdoMailing”, as it is commonly known, uses domains from renowned brands and institutions to send out bogus emails to unsuspecting users.
Nati Tal and Oleg Zaytsev, both from Guardio Labs, have written an extensive analysis (read it here), detailing the scale, magnitude, and Modus Operandi of this email hijacking scheme.
Thousands of Compromised Domains
Guardio's email protection systems noticed strange patterns in email data, prompting an investigation that unveiled an extensive subdomain hijacking operation. Over 8,000 domains, including eBay, The Economist, MSN, Marvel, McAfee, VMware, CBS, and others, have fallen victim. The saddest part is, the numbers keep rising, with hundreds more becoming casualties to this web of digital deception. This clandestine operation is churning out malicious emails like there's no tomorrow.
Deciphering a Shady Email Plot
Let's dissect a shady email that's been raising eyebrows, warning users about spooky activities in their cloud storage. Crafted cunningly as an image to slyly slip past spam filters, this email triggers a sequence of maneuvers through different domains. Guardio's scrutiny uncovered tweaks in SPF, DKIM, and DMARC authentication, giving these fraudulent emails a backstage pass into users' primary inboxes.
Here is an example of an email, purporting to say that cloud storage is full, that has slipped through the cracks and landed in people’s inboxes.
Can you spot anything unusual? Notice the sender: healthylifes.uk.com? Well, appearances can indeed be misleading, and here's the scoop.
Firstly, take a closer look at the fact that the email is presented in image form. It's not merely an image- it's a clever ploy to slip past text-based spam filters. But here's where it gets interesting. Any interaction with this email sets off a chain reaction of click-redirects through various domains. Craftily, these redirects analyze your device type and whereabouts, directing you to tailored content, all in the pursuit of maximizing profit. Tricky, isn't it?
How do scammers pull off their schemes? Let's take a closer look at their playbook:
SPF (Sender Policy Framework) Check — SPF acts as a guard against email spoofing by cross-referencing the IP addresses of the email-sending server with the domain’s roster of authorized senders. This one clears the bar, meeting other industry standards as well:
DKIM (DomainKeys Identified Mail) — This email's content is securely authenticated through successful signing with a cryptographic key provided by the sender at healthylifes.uk.com.
SMTP (Simple Mail Transfer Protocol) Server — The server (62.244.33.18) responsible for dispatching the email is stationed in Kyiv.
SPF — It passes the test, with marthastewart.msn.com vouching for the legitimacy of the SMTP Server IP address.
DMARC (Domain-based Message Authentication Reporting & Conformance)— A domain-driven policy enforcing SPF and DKIM also fits the bill, following the uk.com top-level domain's policy stating “sp=NONE” (indicating no policy for subdomains).
Hold on! What's the deal with Martha Stewart and Microsoft’s MSN being involved in validating this shady email?!
Intriguingly, the fraudulent Cloud storage email, originating from an SMTP server in Kyiv, was flagged as sent from Return_UlKvw@marthastewart.msn.com. While this might appear legitimate, akin to businesses using mass mailing services, an investigation reveals that a subdomain of msn.com authorized the SMTP server at 62.244.33.18 to send emails, casting doubt on the legitimacy of this approval process.
Examining the DNS record for marthastewart.msn.com unveils revealing insights. This subdomain, linked to msnmarthastewartsweeps.com through a CNAME record, inherits the latter's entire behavior, including its SPF policy: "v=spf1 include:harrisburgjetcenter.com include:greaterversatile.com -all." Notably, this SPF record's complexity, engineered with the "include:'' syntax, expands the IP list of approved senders using other domains' SPF records, resulting in a massive list of 17,826 IPs upon recursive querying, with 62.244.33.18 included.
This intricate SPF record, indicative of deliberate crafting, raises questions about ownership and motives. The Internet Archive Wayback Machine captured marthastewart.msn.com in 2001 when msnmarthastewartsweeps.com was briefly active before abandonment. Remarkably, the domain remained unclaimed for 21 years until September 2022, when it was privately registered with Namecheap. Now under the control of a specific actor, this domain manipulates DNS records, consequently controlling the MSN subdomain record. In effect, the actor can send emails to anyone, masquerading as if they originated from msn.com and its approved mailers.
How Guardio is Helping to Fight "SubdoMailing"
In response to this escalating threat, Guardio has stepped up its game. They've created a special "SubdoMailing" checker website, a digital detective if you will. This platform allows domain administrators and site owners to swiftly check if Guardio's vigilant systems found any traces of abuse. The goal? Quick fixes and fortified prevention. Interested in securing your digital turf? Check out the "SubdoMailing" checker website here. It can be your digital guardian against the unseen threats lurking in the web's shadows.
Google is also gearing up to roll out updates in Gmail, particularly for bulk email senders, aiming to boost spam protection and reinforce email security. The upcoming changes will introduce advanced spam filtering and offer users greater control over their email preferences.
It's crucial for others to join in and help combat the ongoing threat of email scams. Right now, there's a sneaky danger called 'SubdoMailing' that can go unnoticed.
There is a pressing need for concerted action to address the menace of not just Email 'SubdoMailing' scams but other similar threats as well. Greater initiatives are required to strengthen the overall resilience against email-based scams.
Comentários