February 26, 2024 at 09:15AM
Over 8,000 subdomains of reputable brands and institutions have been illicitly commandeered as part of a spam and click monetization system known as SubdoMailing. The ResurrecAds threat actor is responsible for this intricate campaign, using the hijacked domains to distribute phishing emails and circumvent security measures. Guardio Labs is actively tracking and addressing this threat.
Based on the meeting notes, it is clear that a significant number of subdomains belonging to well-known brands and institutions have been hijacked as part of a sophisticated architecture for spam proliferation and click monetization. The malicious activity, known as SubdoMailing, has been ongoing since at least September 2022 and is attributed to a threat actor named ResurrecAds.
It is noteworthy that the campaign bypasses standard security blocks and utilizes the trust associated with these domains to circulate spam and malicious phishing emails, leveraging them to slip past security measures. The emails are designed as images to evade text-based spam filters and are capable of bypassing various email authentication methods, including SPF, DKIM, and DMARC.
The emails also utilize deceptive tactics such as quiz scams, phishing sites, and malware downloads aimed at swindling recipients. Furthermore, the threat actors are constantly scanning for long-forgotten subdomains with dangling CNAME records of abandoned domains and hijacking them, potentially for hosting bogus phishing landing pages.
To combat this threat, Guardio has developed a SubdoMailing Checker, a tool that enables domain administrators and site owners to look for signs of compromise in an effort to dismantle the infrastructure of this malicious ad network.
It is evident that this threat poses a significant risk to the reputation and security of the affected brands and organizations. Please let me know if there are any specific action items or follow-ups that need to be addressed based on these meeting notes.