Researchers at Guardio Labs discovered a vast campaign hijacking thousands of subdomains belonging to well-known brands (MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay, etc.).
The attackers use these compromised subdomains to send millions of spammy and malicious emails daily, bypassing security measures by leveraging the trust associated with the hijacked brands.
Here’s how it works:
- Attackers hijack subdomains of established brands through various methods like complex DNS manipulation and exploiting abandoned domains.
- They manipulate the hijacked subdomains’ SPF records to make emails appear as if they originated from the legitimate brands.
- These emails often contain deceptive content like fake cloud storage warnings, phishing attempts, or misleading advertisements.
The campaign is alarming for several reasons:
- The scale: Over 8,000 domains have been compromised, and the number is growing.
- The potential harm: Millions of spam and malicious emails are being sent daily.
That’s cute.
In a large organization it will take months to track down all this stuff to make sure a subdomain should or should not be there, pointing at a domain that should or should not be there.
Nobody will risk taking anything down with multi-million dollar advertising campaigns potentially riding on each one. If you’re not familiar with how these campaigns work, they work like hot shit: they pay everything in advance and then put together all the technical details. Sometimes literally the night before the campaign is supposed to begin.
So what you see now in DNS may be obsolete, or it may be valid, or it may be from an upcoming campaign. Gotta dig through contracts and crawl the corporate structure to figure it out.
Also, there’s no big enough incentive to fix this. Spam for third parties? Eh, fuck 'em. Until it grows into something bad enough for the FBI to get involved they won’t care.
Anyone who hasn’t worked in enterprise simply doesn’t understand this aversion to risk. Above all else, don’t break something.
Too many techies think “well, then we’ll fix it”. Umm, no.