eBay, VMware, McAfee Sites Hijacked in Sprawling Phishing Operation

Attackers have compromised more than 8,000 subdomains from well-known brands and institutions to mount a sprawling phishing campaign that sends malicious emails numbering in the millions each day.

MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay are among the entities caught up in "SubdoMailing" — named by researchers from Guardio Labs who discovered the campaign, which is at the heart of a larger cybercriminal undertaking and undermines the trust and credibility of the compromised organizations, they said.

"The uncovered operation involves the manipulation of thousands of hijacked sub-domains belonging to or affiliated with big brands," head of Guardio Labs-Cybersecurity Nati Tal and security researcher Oleg Zaytsev wrote in a post on the content-sharing platform Medium. "Complex DNS manipulations for these domains allowed the dispatch of vast quantities of spammy and just outright malicious emails, falsely authorized under the guise of internationally recognized brands."

The campaign is crafted in such a way that emails appear to come from trusted domains and bypass all the industry-standard email-security measures typically in place to block suspicious messages, including Sender Policy Framework (SPF), DKIM, SMTP Server, and DMARC, the researchers said.

Discovering the Hijacking Scheme

Guardio breaks down in detail in the post how it uncovered the operation after its email protection systems flagged an email for unusual patterns in email metadata. It sent the researchers down a rabbit hole that ultimately led to a long-defunct partnership between lifestyle guru Martha Stewart and MSN.com.

The example cited was "a particularly insidious email" alerting someone of purported suspicious activity within a cloud storage account that ended up in a user's "Primary" inbox when it should have been flagged as spam.

The email — created as an image to avoid text-based spam filters — triggers a series of click-redirects through different domains that is typical of phishing campaigns. The redirects in this case check a victim's device type and geographic location, and lead them to various content tailored to maximize profit, such as ads, affiliate links that lead to quiz cams, phishing sites, or even malware.

When following the trail of how the email slipped past security scanning and protections, the researchers found what they deemed a "classic subdomain hijacking scheme." While the email originated from 62.244.33.18, an SMTP server in Kyiv, it was flagged as being sent from [email protected].

This would on the surface seem legitimate, the researchers noted; however, in the scenario, a subdomain of msn.com authorized the SMTP server at 62.244.33.18 to send emails, which calls into question the legitimacy of this approval process, they said.

Upon closer examination of the DNS record for the subdomain marthastewart.msn.com, the researchers found it was linked to yet another domain with that CNAME record, msnmarthastewartsweeps.com. This means that that "the subdomain inherits the entire behavior of msnmarthastewartsweeps.com, including its SPF policy," according to the post.

Investigating further found that the SPF policy uses a syntax that allows expanding the IP list of approved senders using other domains' SPF records. When they recursively queried the SPF record, they found a list of 17,826 IPs, among them 62.244.33.18, basically allowing approval of all those addresses under the hijacked MSN.com subdomain. This ultimately allows emails sent from these domains to pass other protections as well, the researchers said.

Guardio eventually tracked the msnmarthastewartsweeps.com subdomain to a promotional sweepstakes campaign from 22 years ago. Though the domain was abandoned for 21 years, it was privately registered again with Namecheap in September 2022.

"Now, the domain is owned by a specific actor that has control over its DNS records and, as a consequence, controls the MSN subdomain record as well," the researchers wrote. "So, in this case, the actor can send emails to anyone they wish as if msn.com and their approved mailers sent those emails."

Single Threat Actor

Guardio attributes the extensive campaign to a threat actor tracked as "ResurrecAds," which employs the strategy of reviving "dead" domains of/or affiliated with big brands to use as backdoors to exploit legitimate services and brands toward the ultimate goal of profiting as an "Ad-Network" entity.

"This approach enables them to circumvent contemporary email protection measures, showcasing their adeptness at manipulating the digital advertising ecosystem for nefarious gains," the researchers wrote.

As part of their malicious activity, the actor continuously scans the Internet for forgotten subdomains of respectable brands to identify opportunities to purchase or compromise them for malicious email dissemination, according to Guardio.

In this mission, ResurrecAds has amassed "a vast network of both hijacked and deliberately acquired domain and IP assets, indicating a high level of organization and technical sophistication in maintaining this broad scale of operations," the researchers said.

Checking for Compromise

The campaign demonstrates the growing sophistication of malicious email campaigns, which have been around since nearly the inception of this form of digital communication but continue to evolve as security protections such as SPM, DKIM, and DMARC also evolve and are more widely applied by defenders.

"Our research has revealed that threat actors are not merely reacting to security measures; they’ve been proactively adapting and evolving for some time," the researchers wrote.

Because the operation is so rampant and still active, Guardio created a special website with a tool, SubdoMailing Checker, for checking whether a site's abandoned domain is being used in the operation.

The page is updated daily with the latest domains impacted by CNAME- and SPF-based hijacking, as detected by Guardio's systems, and gives organizations "all the details of known abuses, type of hijack, and relevant sub-domains and SPF records in need of attention," the researchers explained.