Home Email fraudsters deploy sophisticated tactics to dupe users

Email fraudsters deploy sophisticated tactics to dupe users

A sophisticated ad fraud campaign, dubbed “SubdoMailing,” has been exploiting over 8,000 legitimate internet domains and 13,000 subdomains to dispatch upwards of 5 million emails daily, engaging in scams and malvertising to generate illicit revenue, according to a recent report by Bleeping Computer.

Uncovered by Guardio Labs researchers Nati Tal and Oleg Zaytsev, the SubdoMailing operation has been active since 2022, leveraging the reputations of well-known companies by hijacking their abandoned subdomains and domains. This method effectively bypasses spam filters and exploits email authentication policies like SPF and DKIM, making these malicious emails appear legitimate.

Victims of this domain hijacking include high-profile entities such as MSN, VMware, McAfee, The Economist, Cornell University, CBS, NYC.gov, PWC, Pearson, Better Business Bureau, Unicef, ACLU, Symantec, Java.net, Marvel, and eBay. The fraudulent emails, under the guise of these reputable brands, evade security measures and direct users through a series of redirects. These actions not only generate ad revenue for the perpetrators but also lead unsuspecting users to fake giveaways, security scans, surveys, or affiliate scams.

The investigation into SubdoMailing began after Guardio Labs detected unusual email metadata patterns, revealing a comprehensive subdomain hijacking scheme. The campaign utilizes sophisticated tactics to mimic legitimate emails, including the abuse of SPF, DKIM, and DMARC protocols. These email security measures are designed to verify the sender’s legitimacy to email gateways, preventing the emails from being marked as spam.

SubdoMailing’s modus operandi involves two primary techniques: CNAME hijacking and exploitation of SPF records. In CNAME attacks, the threat actors identify subdomains with CNAME records pointing to unregistered external domains, which they then register themselves. Similarly, they exploit SPF records by taking over external domains referenced in the “include:” configuration option of target domains’ SPF records. This allows the attackers to authorize their malicious email servers under the guise of reputable domains.

Attributed to a threat actor named “ResurrecAds,” the campaign systematically scans the internet for vulnerable domains, continuously updating its network of hijacked domains, SMTP servers, and IP addresses to sustain its large-scale operations. Guardio Labs estimates that SubdoMailing uses nearly 22,000 unique IPs, including residential proxies, to spread fraudulent emails globally.

The sheer volume and complexity of this operation highlight the significant challenge it poses to internet security. Guardio Labs has responded by creating a SubdoMailing checker site, enabling domain owners to determine if their brand is being exploited and to take preventative or corrective actions.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Maxwell Nelson
Tech Journalist

Maxwell Nelson, a seasoned journalist and content strategist, has contributed to industry-leading platforms, weaving complex narratives into insightful articles that resonate with a broad readership.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.