Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Site Hack. Show all posts

eBay, VMware, and McAfee Taken Down in Widespread Phishing Operation


Hackers have taken control of over 8,000 subdomains belonging to reputable companies and organizations to launch a massive phishing campaign that sends millions of malicious emails every day.

Among the companies involved in "SubdoMailing" are MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, and eBay. The campaign, which is the center of a larger cybercrime operation and damages the credibility and trust of the compromised organizations, was identified by researchers from Guardio Labs. 

"The discovered operation entails the manipulation of thousands of hijacked sub-domains associated with or related to major brands," security researcher Oleg Zaytsev and CEO of Guardio Labs-Cybersecurity Nati Tal stated in a Medium article. "Complex DNS manipulations for these domains allowed the dispatch of vast quantities of spammy and just outright malicious emails, falsely authorized under the guise of internationally recognized brands."

According to the researchers, the effort is designed to evade all industry-standard email security mechanisms, such as Sender Policy Framework (SPF), DKIM, SMTP Server, and DMARC, that are normally in place to prevent suspicious messages. Instead, emails appear to originate from trustworthy sites.

Finding the Hijacking Scheme

In the post, Guardio provides a detailed explanation of how its email protection algorithms detected an unusual trend in an email's metadata, leading to the operation's discovery. It led the researchers down a rabbit hole that eventually resulted in the lifestyle expert Martha Stewart and MSN.com parting ways for a long time.

"A particularly insidious email" warning of allegedly suspicious activity in a cloud storage account ended up in a user's "Primary" inbox when it should have been reported as spam, according to the example given.

More about the threat actor

According to Guardio, the vast effort is the result of a threat actor known as "ResurrecAds," which uses the tactic of resurrecting "dead" domains of large brands or those connected to them to utilize them as backdoors to exploit reputable services and businesses to ultimately make money as an "Ad-Network" entity.

"This approach enables them to circumvent contemporary email protection measures, showcasing their adeptness at manipulating the digital advertising ecosystem for nefarious gains," the authors stated.

According to Guardio, the actor's malicious behavior involves them constantly searching the Internet for abandoned subdomains of reputable brands to find chances to buy them or compromise them to send malicious emails.

Looking for damage

The campaign highlights the increasing sophistication of hostile email operations, which have been around almost since the beginning of digital communication. However, they are still evolving as more defenders use security measures like SPM, DKIM, and DMARC.

"Our research has revealed that threat actors are not merely reacting to security measures; they’ve been proactively adapting and evolving for some time," the investigators stated.

Guardio developed a unique website with the tool SubdoMailing Checker to determine whether a site's abandoned domain is being used in the operation due to the operation's widespread and ongoing nature.