“SubdoMailing”: Major Brands Hacked in Phishing Attack

In the expansive phishing operation dubbed “SubdoMailing,” uncovered by experts from Guardio Labs, over 8,000 subdomains of renowned brands and institutions were compromised by malefactors, including entities such as eBay, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, among others. This operation, as revealed by researchers, constitutes part of a broader campaign by a specific hacker collective aimed at undermining the trust and creditworthiness of the affected organizations.

The SubdoMailing operation enables malefactors to dispatch millions of malicious emails daily, ostensibly originating from trusted domains, thereby circumventing all standard email security measures like SPF, DKIM, SMTP Server, and DMARC. This campaign is characterized by intricate manipulations with the DNS records of the captured domains, facilitating the dispatch of spam and malicious emails in the name of internationally recognized brands.

The exposure of this malevolent scheme followed Guardio’s email protection systems detecting unusual patterns in the metadata of an email, linked to a long-obsolete partnership between American television host Martha Stewart and MSN.com. Through meticulous investigation, researchers uncovered a classic subdomain capture scheme, where emails sent from certain IP addresses were mistakenly allowed by security systems as legitimate.

Guardio traced the subdomain “msnmarthastewartsweeps.com” back to a promotional campaign conducted 22 years ago, which was re-registered using the domain registrar company Namecheap in September 2022. Currently, this domain is controlled by a malefactor with the capability to send emails on behalf of msn.com.

The hacker collective, which Guardio experts track under the name “ResurrecAds,” employs a strategy of resurrecting “dead” domains associated with major brands, using them as backdoors for exploiting legitimate services and brands for profit. This group exhibits a high level of organization and technical sophistication, continually scanning the internet for forgotten subdomains of respected brands to purchase or compromise.

In light of the growing complexity of fraudulent email operations, Guardio Labs has even created a special website featuring the SubdoMailing Checker tool to check for the use of abandoned domains in this operation. This tool can provide organizations with all the information about known abuses, types of captures, and the relevant subdomains, as well as SPF records requiring attention.