The SubdoMailing operators are constantly on the lookout for suitable expired corporate domains, and once they find some they re-register them \u2014 typically capturing several dozen legitimate domains daily. The record stands at 72 hijacked domains in a single day \u2014 back in June 2023.<\/p>\n
To avoid landing on spam lists, the attackers rotate them constantly. Each domain is used for spam distribution for 1\u20132 days before going dormant for an extended period while the spammers switch to the next. After a couple of days, this one too is temporarily retired, and another takes its place.<\/p>\n
Hijacking domains with a custom CNAME<\/h2>\n
\nSo, how exactly do threat actors go about exploiting hijacked domains? One method involves targeting domains with a custom canonical name (CNAME) record. A CNAME is a type of DNS record used to redirect one domain name to another.<\/p>\n
The simplest example of a CNAME record is the \u201cwww\u201d subdomain, which usually redirects to the main domain, like this:<\/p>\n
- \n
company.com \u2192 company.com<\/code><\/li>\n<\/ul>\nHowever, more complex scenarios exist where a CNAME record redirects a subdomain to a completely separate domain. For example, this could be a promotional website hosted on a different domain but integrated into the company\u2019s overall web resource structure with a CNAME record.<\/p>\n
- \n
company.com \u2192 company2020promo.com<\/code><\/li>\n<\/ul>\nLarge companies with extensive web resources may have multiple CNAME records and corresponding domains. The problem is that administrators cannot always keep track of is all. As such, a situation can arise where a domain has expired but its CNAME record lives on. These are the kind of domains that the cybercriminals behind the SubdoMailing campaign are eager to harvest.<\/p>\n
They hunt for abandoned domains that still have active CNAME records referencing the large companies that once owned them. Let\u2019s take
company2020promo.com<\/code> from our example. Say the company abandoned this domain after a promotional campaign several years ago, but the administrators forgot to remove the CNAME record. This allows threat actors to register the domain to themselves and automatically gain control over thepromo.company.com<\/code> subdomain.<\/p>\nThat done, they gain the ability to authorize mail servers located at IP addresses they own to send emails from the
promo.company.com<\/code> subdomain \u2014 effectively inheriting the reputation of the primary domain,company.com<\/code>.<\/p>\nExploiting SPF records<\/h2>\n
\nThe second tactic employed by the SubdoMailing attackers involves exploiting SPF records. SPF (Sender Policy Framework \u2014 an extension of the SMTP protocol) records list the IP addresses and domains authorized to send emails from a particular domain.<\/p>\n
Again, it\u2019s perfectly normal for large organizations to include a multitude of addresses and domains in this list for various purposes. This may include external domains that either do not belong to the company at all, or are used for some specific purpose: temporary projects, mass mailing tools, user survey platforms, and the like. Similar to the CNAME scenario, it may happen that the domain registration has expired, but someone forgot to remove the said domain from the SPF record.<\/p>\n
Domains like these are also prized by threat actors. For our example
company.com<\/code>, let\u2019s say the SPF record also includes some external domain likecustomersurveytool.com<\/code>, belonging to a user-survey service.<\/p>\nNow, imagine this service no longer exists, the domain registration has expired, and the administrators forgot to update the SPF record. By registering the abandoned
customersurveytool.com<\/code> domain, attackers gain the ability to send emails not just from the subdomain, but from the company\u2019s primary domain,company.com<\/code>.<\/p>\nExamples of domain hijacking in the SubdoMailing campaign<\/h2>\n
\nHow such problems can arise can be illustrated by the case<\/a> of
msnmarthastewartsweeps.com<\/code>. The Microsoft Network (MSN) portal once collaborated with celebrity chef Martha Stewart<\/a> on a project promoting MSN Messenger (remember that?) through prize giveaways. The project\u2019s website used the subdomainmarthastewart.msn.com<\/code>, which redirected to the external domainmsnmarthastewartsweeps.com<\/code> through a CNAME record.<\/p>\n![\"Screenshot](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/04\/27003638\/domain-hijacking-subdomailing-3.png\")
<\/a>Here\u2019s what marthastewart.msn.com looked like when it was live. Source<\/a><\/p><\/div>\n
As you might guess, the
msnmarthastewartsweeps.com<\/code> domain registration eventually expired, but the MSN administrators failed to remove the corresponding CNAME record. In 2022, attackers discovered this domain, registered it, and gained the ability to send emails frommarthastewart.msn.com<\/code>, leveraging the reputation of none other than the Microsoft Network for their own purposes.<\/p>\nHow to guard against SubdoMailing<\/h2>\n
\nTo prevent domain hijacking and spamming in your company\u2019s name, we recommend the following:\n<\/p>\n