Sophisticated Email Fraud Scheme ‘SubdoMailing’ Uncovered, Exploiting Major Brands
In a recent revelation by Bleeping Computer, a complex ad fraud operation known as ‘SubdoMailing’ has been discovered to manipulate over 8,000 legitimate internet domains and 13,000 subdomains, sending out more than 5 million emails daily. This campaign, aimed at scams and malvertising, generates illegal profits by leveraging the trust associated with well-known companies. Researchers Nati Tal and Oleg Zaytsev from Guardio Labs, who brought this operation to light, reported that SubdoMailing has been active since 2022, circumventing traditional email spam filters and authentication measures to present their malicious emails as credible communications.
The operation hijacks abandoned but still reputable domains and subdomains, using them to bypass security filters and exploit email authentication standards such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). This deception has ensnared victims across a spectrum of sectors, including major names like MSN, VMware, McAfee, The Economist, and even educational and government entities such as Cornell University and NYC.gov.
Guardio Labs’ investigation into this intricate scheme was sparked by anomalies in email metadata, which unveiled a vast network of commandeered subdomains. SubdoMailing cleverly mimics legitimate email interactions by abusing SPF, DKIM, and DMARC protocols—email security frameworks designed to confirm the sender’s authenticity and safeguard against spam.
The campaign employs two principal strategies for its deceptive operations: CNAME hijacking and SPF record exploitation. By identifying subdomains whose CNAME records point to unregistered domains, the fraudsters register these domains to themselves. Moreover, they manipulate SPF records by taking control of external domains listed in the ‘include:’ section of the target domains’ SPF configurations, thereby gaining the ability to send emails that appear to come from trustworthy sources.
Behind this elaborate fraud is a group dubbed ‘ResurrecAds,’ known for its methodical scanning of the internet for susceptible domains. This continuous effort to expand their network of hijacked domains and email servers allows them to maintain the operation’s extensive reach. Guardio Labs estimates the use of nearly 22,000 unique IP addresses, including residential proxies, to distribute these deceptive emails worldwide.
The discovery of SubdoMailing underscores the evolving sophistication of cyber threats and the importance of robust cybersecurity measures. To combat this and similar threats, Guardio Labs has introduced a SubdoMailing checker site, offering domain owners a resource to verify if their brands are being misused and to implement necessary protective or remedial actions. This case highlights the ongoing battle against cyber fraud and the critical need for vigilance among internet users and organizations alike.