February 26, 2024 at 11:01AM
A massive ad fraud campaign, “SubdoMailing,” utilizes over 8,000 legitimate internet domains and 13,000 subdomains to send up to 5 million scam and malvertising emails daily, bypassing spam filters and leveraging trusted company domains. Notable companies affected include MSN, VMware, and eBay. The campaign generates revenue through fraudulent ad views and redirects. Guardio Labs discovered and named the campaign, attributing it to a threat actor called “ResurrecAds.” The operation is globally distributed and extensively complex, using nearly 22,000 unique IPs and a vast network of hijacked domains, SMTP servers, and IP addresses. Guardio Labs has implemented a “SubdoMailing” checker site to help domain owners identify and address abuse.
From the meeting notes, it is clear that a massive ad fraud campaign, named “SubdoMailing,” is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. The campaign is taking advantage of trusted companies’ domains to bypass spam filters and gain legitimacy for their fraudulent emails. Notable brands such as MSN, VMware, McAfee, The Economist, and others have been targeted. Clicking on the embedded buttons in the emails takes users through a series of redirections, generating revenue for the threat actors via fraudulent ad views.
The campaign has been constantly refreshing a vast network of hijacked and acquired domains, SMTP servers, and IP addresses to maintain its scale and complexity. Guardio Labs has developed a checker site to help domain owners detect if their brand is being abused and take appropriate action.