TEL AVIV – As part of a sophisticated scheme involving spam proliferation and click monetization, over 8,000 domains and 13,000 sub-domains once owned by major, legitimate brands and institutions have been hijacked to allow millions of spam emails to bypass standard security blocks for nefarious gain.
This coordinated malicious activity – dubbed “SubdoMailing” – has been going on since at least September 2022, according to Guardio Labs, the Israeli security company that has been researching it. The type of emails being delivered via SubdoMailing range from fake package delivery alerts to phishing for account credentials, among other harmful scams.
Guardio Labs security researchers Nati Tal and Oleg Zaytsev claim that a threat actor known as “ResurrecAds” is behind the recent issue, with the outlaw organization allegedly being responsible for hijacking dead or previously-used domains that were owned by – or had been affiliated with – major brands and using them in digital advertising schemes for illicit gains.
“ResurrecAds manages an extensive infrastructure encompassing a wide array of hosts, SMTP servers, IP addresses, and even private residential ISP connections, alongside many additional owned domain names,” Tal and Zaytsev said in their report.
The report notes that SubdoMailing “leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day, cunningly using their credibility and stolen resources to slip past security measures.”
The domains that have been compromised as a part of ResurrecAds’ spam email campaign include ones owned or affiliated with notable companies and organizations such as the ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, VMware, and countless others.
SubdoMailing is able to bypass many run-of-the-mill security blocks, with the body of the email taking the form of an image to hoodwink text-based spam filters; once the image is clicked, the victim finds themselves being redirected multiple times through various domains, the Guardio Labs report said.
“These redirects check your device type and geographic location, leading to content tailored to maximize profit,” it said. “This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly.”
In order to combat ResurrecAds’ campaign, Guardio Labs created a SubdoMailing Checker website, which visitors can utilize to see if particular domains have been hijacked or compromised.
About The Author: John Colascione is Chief Executive Officer of Internet Marketing Services Inc. He specializes in Website Monetization, is a Google AdWords Certified Professional, authored a ‘how to’ book called ”Mastering Your Website‘, and is a key player in several Internet related businesses through his search engine strategy brand Searchen Networks®
Leave a Reply