Guardio Labs came across a serious case of subdomain hijacking, affecting thousands of subdomains.
SubdoMailing can be considered to be an evolved form of social engineering attack, that cashes in on the reliability of well-recognized subdomains.
The attackers are operating this malicious campaign on a large scale, by sending millions of phishing emails from the hijacked subdomains.
In subdomain hijacking, attackers take charge of a subdomain associated with a legitimate root domain, which then becomes a breeding ground for various malicious activities.
The hijacked subdomain can be used to launch phishing campaigns, circulate inappropriate content, sell illegal substances, or spread ransomware.
More often than not, inactive subdomains lie dormant for long periods of time.
What's even more dangerous, these subdomains have dangling DNS records that pave the way for subdomain hijacking.
Whether you are an enterprise or a small business, failing to secure your subdomains can lead to incidents like SubdoMailing or other forms of subdomain abuse.
Emails originating from a compromised Cash App subdomain were circulated among millions of users.
Guardio explains that SubdoMailing uses highly sophisticated tactics to manipulate legitimate subdomains of such popular brand names.
Guardio found several phishing emails originating from a particular subdomain of msn.com.
On checking it was found that a subdomain of msn.com had authorized the suspicious IP address.
Further examination of the SPF record for the msn.com subdomain, took Guardio experts down a rabbit hole of 17826 nested IP addresses that are authorized to send emails on behalf of the domain.
Investigations revealed that this MSN subdomain was pointing to another domain via a CNAME DNS record.
Once the attacker bought the other domain, it enabled them to hijack the MSN subdomain.
Guardio used internet archives to dig deeper into understanding whether the msn.com subdomain was in fact claimed by MSN. Turns out, the subdomain was active 22 years ago.
A threat actor bought the domain that was linked to the subdomain.
In the case of SubdoMailing, the hijacked subdomain's SPF record hosted several abandoned domains.
As per the nature of SPF policy, the subdomain ends up authorizing all of these attacker-controlled servers as legitimate email senders.
Subdomains are autodetected on our platform, helping you keep a close eye on them.
This Cyber News was published on securityboulevard.com. Publication date: Mon, 18 Mar 2024 17:43:06 +0000