What just happened? A cybersecurity agency has outlined a coordinated malicious operation that seized control of over 8,000 domains and 13,000 subdomains belonging to legitimate companies and institutions. The compromised network subsequently disseminated large volumes of spam and malicious emails, successfully bypassing the security filters used by major webmail providers.
According to Guardio Labs, some well-known brands and institutions, including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, Swatch, Symantec, ACLU, PWC, Better Business Bureau, Unicef, and eBay, among others, had their websites hijacked in the attack. Dubbed “SubdoMailing,” the operation required significant investments and reportedly generated “substantial revenue” for the threat actors.
Guardio Labs researchers Nati Tal and Oleg Zaytsev revealed that the malicious emails contained embedded buttons concealing malicious links. Clicking on these buttons led users through a series of redirections on different domains, allowing the attackers to generate revenue through “malvertising,” or fraudulent ads.
“These redirects check your device type and geographic location, leading to content tailored to maximize profit,” the researchers said. However, not all the redirections were to benign domains for fraudulent ad views, as some of the links also directed users to phishing sites. In some cases, the sites downloaded malware aimed at swindling users out of their money.
The campaign has reportedly been operational since at least 2022 and took advantage of SPF and DKIM email policies to push millions of phishing emails past secure email gateways each day. The attackers also designed entire emails as images to evade text-based spam filters. The fact that they originated from trusted domains also helped bypass detection.
The researchers believe that the attacks were carried out by a malicious ad network called “ResurrecAds” that employs “dark tactics” to generate revenue. One of those tactics is to resurrect dead domains associated with large brands and use them as backdoors to exploit legitimate services and brands.
To help domain administrators and site owners check their websites for any traces of abuse, Guardio created a SubdoMailing checker tool. With this tool, administrators can obtain relevant information on how to fix the problem if their domains have been compromised and prevent such attacks in the future.