Guardio Labs has uncovered a sophisticated spam and click monetization scheme named SubdoMailing, which has compromised over 8,000 domains and 13,000 subdomains belonging to reputable brands and institutions. This coordinated effort, orchestrated by the threat actor ResurrecAds, has been ongoing since at least September 2022. The campaign utilizes trusted domain names to disseminate millions of spam and phishing emails daily, evading traditional security measures with deceptive tactics.
The malicious actors behind SubdoMailing manipulate abandoned subdomains with dangling CNAME records of defunct domains, systematically registering and taking control of them. By exploiting legitimate domain associations, they bypass email authentication methods like SPF, DKIM, and DMARC, allowing them to send emails undetected. Additionally, the campaign employs redirection techniques and tailored content to maximize clicks and profit for their ad network clients.
Guardio Labs has provided insight into the mechanics of the operation, emphasizing its meticulous design to misuse compromised assets for malicious advertisement distribution. Despite the sophistication of the scheme, there is currently no evidence to suggest that hijacked subdomains have been used for phishing activities. Guardio has taken steps to combat the threat by offering a SubdoMailing Checker tool, enabling domain administrators to detect signs of compromise and dismantle the infrastructure behind this nefarious campaign.
Reference:
