It was discovered that an operation involving over 8,000 subdomains belonging to or related to major brands was used to bypass the most common security controls and send large amounts of spam and malicious emails.
A Feb. 26 blog post on Medium by Guardio Labs notes that this malicious activity, called “SubdoMailing,” affected well-known brands including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay. reported using associated trust. .
Researchers showed an example of how a malicious email could be crafted as an image to evade text-based spam filters. It then triggers a series of click redirects through various domains, redirects that check device type and geolocation, and generates content tailored to maximize profits. It can be anything from unsolicited ads and affiliate links to more deceptive tactics such as quiz scams, phishing sites, and even downloading malware designed to directly swindle money from victims.
“We clearly face a formidable business characterized by high expenditures and high revenues,” said Nati Tal, director of Guardio Labs.
Hijacking subdomains to boost a sending domain's reputation is one way criminals can ensure their emails reach victims' inboxes, said Robert Duncan, vice president of product strategy at NetCraft. He said it was just a means to an end.
Duncan said his team has also observed the use of QR codes to circumvent URL-based security controls and the use of legitimate email delivery services like SendGrid. SendGrid was used in a recent campaign targeting SendGrid's own customers.
“In addition to the use of URL shorteners, redirectors that route requests differently for different visitors, and other cloaking techniques, these tricks are all part of the criminals’ fight to reach your inbox. ” said Duncan. “Similarly, SPF, DKIM, and DMARC remain effective weapons in a defender's arsenal, with the ability to significantly improve an organization's email sending posture and protect its brand.”
Duncan explained that email was designed at a time when security was not a top priority. SPF, DKIM, and DMARC are layered after the fact, and the proof is there, Duncan says. As this study shows, these are difficult to robustly deploy and must be maintained with great care to avoid abuse by criminals.
“As Gmail and Yahoo tighten requirements for email senders, the ingenuity of criminals to exploit vulnerable DMARC, SPF, and DKIM settings to continue sending malicious emails at scale. “We're likely to see more and more of that,” Duncan said.
Patrick Harr, CEO of SlashNext, added that the industry has had a false sense of security around trusted domains because they have never been completely secure. Harr said his team has identified tens of thousands of malicious subdomains hiding within trusted domains. Harr said SlashNext's threat feed currently has live URLs for his 149,345 phishing threats on legitimate and trusted domains.
“Deploying DMARC, DKIM, and SPF is important, but they alone cannot detect these threats,” Harr said. “Incorporating AI technologies into the security stack, such as computer vision that can detect threats hidden on legitimate sites beyond domain reputation, is critical.”
