By Nati Tal, Oleg Zaytsev (Guardio Labs)

Guardio Labs uncovers a sprawling campaign of subdomain hijacking, compromising already over 8,000 domains from esteemed brands and institutions, including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay and others. This malicious activity, dubbed “SubdoMailing”, leverages the trust associated with these domains to circulate spam and malicious phishing emails by the Millions each day, cunningly using their credibility and stolen resources to slip past security measures.

In our detailed analysis, we disclose how we detected this extensive subdomain hijacking effort, its mechanisms, its unprecedented scale and the main threat actor behind it. Furthermore, we developedthe “SubdoMailing” checker — a website designed to empower domain owners to reclaim control over their compromised assets and shield themselves against such pervasive threats. This report not only sheds light on the magnitude of the issue but also serves as a call to action for enhancing domain security against future exploits.

Thousands of Hijacked Domains — and Counting!

Over recent months, Guardio’s email protection systems have identified unusual patterns in email metadata, particularly concerning SMTP servers and their authentication as legitimate senders. This sparked an investigative journey for our research team, taking us through the inner workings of the SMTP protocol, Domain hunting, developing scanning tools for DNS records, and culminating in discovering a vast and unprecedented subdomain hijacking operation.

The uncovered operation involves the manipulation of thousands of hijacked sub-domains belonging to or affiliated with big brands. Complex DNS manipulations for these domains allowed the dispatch of vast quantities of spammy and just outright malicious emails, falsely authorized under the guise of internationally recognized brands:

At the time of writing, our investigation has unveiled over 8,000 domains that have fallen victim to this exploitation, with the number growing by the hundreds each day —all involved in Millions of malicious emails sent daily!

How a Clearly Scammy Email Passed Spam Filters

To start, let’s examine a telling example that encapsulates the entire scheme. We examine a particularly insidious email alerting of suspicious activity within a cloud storage account:

Interacting with any part of this email, cleverly crafted as an image to dodge text-based spam filters, triggers a series of click-redirects through different domains. These redirects check your device type and geographic location, leading to content tailored to maximize profit. This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly.

We’ve encountered similar schemes before, but there was something distinct about this one. Initially, the question arose: how did an email like this pass authentication and security checks with major email providers and land right into the “Primary” inbox of users?

A closer look at this sample’s headers, especially the Authentication-Results header revealed some intriguing insights:

dkim=pass @0091539714.2516999.2516999.healthylifes.uk.com" [email protected] header.s=selector1 header.b=YOsA3tIB;
spf=pass (google.com: domain of return_ulkvw@marthastewart.msn.com designates 62.244.33.18 as permitted sender);
dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=uk.com

Note the SPF (Sender Policy Framework) Check — SPF prevents email spoofing by verifying the email-sending server’s IP addresses against the domain’s authorized senders list. This one checks OK, as well as other industry standards:

• DKIM — Successfully signing the authenticity of this email content with a cryptographic key provided by the sender at healthylifes.uk.com
• SMTP Server — that sent the email (62.244.33.18) is located in Kyiv.
• SPF — passes, with the domain marthastewart.msn.com designating the SMTP Server IP address as legit.
• DMARC — A domain-driven policy to enforce SPF and DKIM passes as well — following a policy of the top-level domain uk.com stating “sp=NONE” (meaning no policy for subdomains)

Hold on! What do Martha Stewart and Microsoft’s MSN have to do with authorizing this scammy email?!

Resurrecting 2001 Martha Stewart’s Sweepstakes

Here comes the interesting bit. The deceptive Cloud storage email originated from an SMTP server in Kyiv, yet it was flagged as being sent from [email protected]. On the surface, this might seem legitimate — similar to how businesses use mass mailing services to send emails on their behalf, which requires authorizing those services to use their names.

However, in this scenario, a subdomain of msn.com authorized the SMTP server at 62.244.33.18 to send emails, raising questions about the legitimacy of this approval process.

Could someone at MSN incorrectly type a wrong IP address in the SPF record, or perhaps a deliberate act of a malicious insider? A closer examination of the DNS record for marthastewart.msn.com offers some revealing insights.

marthastewart.msn.com. 3600 IN CNAME msnmarthastewartsweeps.com.

This subdomain is linked to another domain with that CNAME record. This means that the subdomain inherits the entire behavior of msnmarthastewartsweeps.com , including it’s SPF policy.

And so, examining msnmarthastewartsweeps.com will show us this SPF policy under one of its TXT records:

"v=spf1 include:harrisburgjetcenter.com include:greaterversatile.com -all"

The SPF record above is quite interesting, as it uses the include: syntax that allows expanding the IP list of approved senders using other domains’ SPF records — up to 10 recursive domain resolves that are allowed by the protocol. So happen to be, there are tons of IP addresses under those domains and exactly 10 more included domains. So, if we recursively query this SPF record, we end up with a massive list of 17826 IPs! And yes, 62.244.33.18 is indeed included:

This SPF record’s complexity and intricate design clearly indicate it was deliberately crafted by a party with a vested interest. But by who and why? Who owns this subdomain? Isn’t it Microsoft? Or… was it? Good thing we have that Internet Archive Wayback Machine to remind us:

This was 22 years ago (!) when msnmarthastewartsweeps.com was active for a short while and then abandoned. No one re-claimed this domain name again for 21 years! Until September 2022 when, suddenly, it was privately registered with Namecheap:

Now, the domain is owned by a specific actor that has control over its DNS records and, as a consequence, controls the MSN subdomain record as well! So, in this case, the actor can send emails to anyone they wish as if msn.com and their approved mailers sent those emails!

Classic Subdomain Hijacking Danger

This is a CLASSIC subdomain hijacking scheme. A campaigner constantly scans and enumerates domains for long-forgotten subdomains with tangling CNAME records of abandoned domains. Quickly register these domains again — and you have control!

Think about the dangers this simple hijack activity can call for. Here, SPF records were abused to send malicious emails. But why stop there? One can also create an SMTP server under this hijacked hostname and send the emails directly from this domain.

And why stop with emails? A reputable subdomain is such a valuable asset for hackers— think about a classic Microsoft login phishing page served under the MSN domain… “Priceless”….

Though we have no records of any of the “CNAME-hijacked” sub-domains being abused for malicious phishing page hosting… yet… this is possible with just a click of a button and raises great concerns!

SPF-Takeover — Another Tactic Uncovered

When we continued exploring more cases like this, we became quite horrified, to say the least. We found thousands of active cases like this with clear indications that this operation has been ongoing for at least two years!

CNAME-takeover is not the only type of abuse we’ve found sending those emails. Another interesting one is what we call SPF-Takeover.

SPF-Takeover — Similar to dangling CNAME records, we also see numerous cases in which the SPF record of a known domain holds abandoned domains of old email/marketing-related services that were probably dismissed or just gone out of business. Quickly grabbing ownership of those domains will allow the attacker to inject their IPs into that domain’s SPF records easily, and this time using the main domain name as the sender!

For example, let’s quickly analyze the DNS records of the well-known watch brand www.swatch.com that was also found to be compromised:

As of today, the TXT Record of this domain name holds this SPF configuration:

"v=spf1 mx a a:directtoaccess.com ip4:80.120.59.245 ip4:82.98.75.216 include:spf.swisscom.com include:spf.mail.netrics.ch ip4:195.78.51.100 ip4:109.74.206.22 ip4:46.254.32.37 ip6:2a01:7e00::f03c:91ff:fe84:6b60 a:production.eu01.swatch.demandware.net a:staging.eu01.swatch.demandware.net include:spf.recruitmail.com -all"

This is a long and complicated SPF record with both hardcoded IPs as well as other domains — all approved to send emails on behalf of swatch.com. We can see those included domains are originating from marketing and data services, and that’s for a reason — those will send emails in the name of swatch.com as part of their genuine functionality.

You need just one abandoned domain to hit the jackpot, and this one is directtoaccess.com. Note it is included under the prefix a: meaning all “A” DNS records of that domain (IP addresses of hosting servers) are allowed to send emails. So it won’t be a shock to see that this specific domain now holds way too many IP addresses in its A record — 81, to be exact. This is, of course, quite an abnormal behavior:

;QUESTION
directtoaccess.com. IN A
;ANSWER
directtoaccess.com. 3600 IN A 51.81.215.32
directtoaccess.com. 3600 IN A 51.81.215.33
directtoaccess.com. 3600 IN A 51.81.215.34
..
....
[76 More]
......
.........
directtoaccess.com. 3600 IN A 104.223.43.170
directtoaccess.com. 3600 IN A 104.223.43.171
;AUTHORITY
;ADDITIONAL

What is (or was…) directtoaccess.com anyways? Going back in time to 2006 reveals the true story:

This domain is a direct credit card service of some kind, long forgotten since 2006, when it was last active. But today, this domain is once again registered by Namecheap. Yes, Namecheap again.

From Subdomain Hijacking to Mass “SubdoMailing”

Given these discoveries, it became evident that we were observing a highly coordinated campaign rather than random acts of domain hijacking. This operation is meticulously designed to misuse these assets for distributing various malevolent “Advertisements,” aiming to generate as many clicks as possible for this “Ad network” clients.

This is not another mass mailing campaign; this is “SubdoMailing”!

Notably, the exploitation of CNAME and SPF-Based hijacking extends beyond mere SPF authentication. Once overtaken, these assets are leveraged in multiple facets, all converging towards the central objective of this campaign: to maximize email-oriented ad clicks.

• SPF Authentication — Injecting SPF-approved IP addresses of actor-owned SMTP servers.
• SMTP Servers — Hosting SMTP servers under the hijacked subdomain to send mass emails.
• Hosting Click-Redirection — Hosting redirectors and click-analysis links for the actual ads, including images and other assets for email content.
• “Unsubscribe” Pages — Due to regulations, those assets also host generic (probably haywire) unsubscribe pages to try and seem as legit as possible.
• From Address — in some cases, those emails are leveraged to be set as being sent from those hijacked domains! In many cases, they also abuse poor DMARC policies set on those domains as well.

“ResurrecAds” Threat Actor — Uncovered

Leveraging our comprehensive data, detection methods, and ongoing DNS and Whois scans, we’ve identified thousands of instances of “Subdomailing”, encompassing both CNAME and SPF-based tactics, from the last 60 days of activity. This extensive analysis revealed many spammy and malicious emails, ranging from counterfeit package delivery alerts to outright phishing for account credentials, some of which were even dispatched directly from the hijacked subdomains.

The evidence we’ve gathered points to the likelihood of a single main threat actor behind this extensive operation. This entity appears to be systematically scanning the internet for vulnerable domains, identifying opportunities, purchasing domains, securing hosts and IP addresses and then meticulously orchestrating the ongoing campaign of email dissemination. This involves a vast network of both hijacked and deliberately acquired domain and IP assets, indicating a high level of organization and technical sophistication in maintaining this broad scale of operations.

Here at Guardio, we’ve been closely monitoring a threat actor we call “ResurrecAds”, highlighting their covert motive to profit as an Ad-Network entity while employing the dark tactics described in this paper. Central to their operation is the strategy of reviving “dead” domains of or affiliated with big brands, using them as backdoors to exploit legitimate services and brands. This approach enables them to circumvent contemporary email protection measures, showcasing their adeptness at manipulating the digital advertising ecosystem for nefarious gains.

Armed with a vast collection of compromised reputable domains, servers, and IP addresses, this Ad-Network deftly navigates through the malicious email propagation process, seamlessly switching and hopping among its assets at will.

Tracking IOCs and Connecting Loose Ends

Some of the most common indications of compromise (IOCs) that tie different “SubdoMailing” cases to one another include visual references and the re-use of assets and concepts.

The most common are the templates used for generic landing pages and fake unsubscribe pages, which are usually hosted on the SMTP servers sending those emails. The text is always the same; only the design changes from time to time:

In most cases, those servers also share the same network fingerprint —with SMTP (25) and HTTP (80) ports open, yet also include a very specific port 3128 running the “Squid” HTTP Proxy. The last is probably used for remote management and quickly “mirroring” between different SMTP servers for central control. An example scan in Shodan for one of those IPs:

SubdoMailing — In Numbers

Upon unraveling this malicious scheme, the sheer scale of the operation became apparent. It extends far beyond the thousands of compromised domains and DNS records previously identified. “ResurrecAds” manages an extensive infrastructure encompassing a wide array of hosts, SMTP servers, IP addresses, and even private residential ISP connections, alongside many additional owned domain names.

We see a sophisticated distribution architecture that supports this vast network of servers and domain assets, designed carefully to disseminate millions of malicious emails daily, aimed at spam proliferation and of course, click monetization.

Diving into the numbers and aggregated data provides us with a clearer view of both the immense scale and the modus operandi of this threat actor:

Looking at the registration dates of compromised domains proves without a doubt that this operation has been ongoing since late 2022, at least. These registration dates are of the CNAME-linked or SPF-included dangling domains that were abandoned and then re-registered by this threat actor. Almost all are registered with a single domain registration service — Namecheap, known for being the house of many of the most scammy TLDs.

Note that the domain age is reset upon re-registration. Thus, this is the actual time when the original domain was compromised by this threat actor:

Delving into the exploitation of these compromised domains, we uncover the actor’s strategic “domain economy.” This approach maximizes resource utility while minimizing detection and depletion risks, allowing for their prolonged use. A prime domain in the control of this “Ad network” sees action briefly, typically for just 1–2 days, followed by significant intervals of inactivity. Meanwhile, the actor rotates through other assets. Below is a snapshot of how just ten such domains were sporadically activated over the last 60 days, illustrating their peak usage periods:

Similarly, SMTP servers are shuffled from one IP address to another, often resulting in a single hijacked sub-domain dispatching emails from multiple global locations within a single day. This tactic is crucial for the threat actor to avoid overexposing a specific IP address, ensuring the email distribution is spread out through various servers worldwide, thus maintaining the stealth and longevity of their operations:

Given these sophisticated tactics, we’re clearly facing a formidable operation characterized by significant expenditure and substantial revenue. Our investigation has yet to pinpoint the exact origin of this operation, but our efforts to uncover the source continue. What remains within our power and responsibility is to mount a defense and fight back — this time with your help!