Guardio Uncovers Large-Scale "SubdoMailing" Campaign Abusing Well-known Brands (MSN, VMware, McAfee, etc.) (labs.guard.io)
from Squire1039@lemm.ee to technology@lemmy.world on 27 Feb 2024 03:18
https://lemm.ee/post/25013325

Researchers at Guardio Labs discovered a vast campaign hijacking thousands of subdomains belonging to well-known brands (MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay, etc.).

The attackers use these compromised subdomains to send millions of spammy and malicious emails daily, bypassing security measures by leveraging the trust associated with the hijacked brands.

Here’s how it works:

The campaign is alarming for several reasons:

#technology

threaded - newest

lemmyvore@feddit.nl on 27 Feb 2024 04:24 next collapse

There’s nothing “complex” about any of this… they just go looking for subdomains that were CNAME’d one upon a time to domains which are now abandoned (eg. marthastewart.msn.com -> msnmarthastewartsweeps.com). So they register the domain, set its DNS records, and then can verify SMTP as the subdomain as well.

There’s no DNS vulnerability or anything, just large organizations with subdomains slipping through the cracks. It will take a while to be resolved too because we’re probably talking hundreds of records in each case that need to be checked manually.

wizardbeard@lemmy.dbzer0.com on 27 Feb 2024 05:01 collapse

need to be checked manually

You’re joking if you think that this couldn’t be scripted to a significant degree.

CNAMEs, where whatever it resolves to is an external site, where the external does not respond to ping or where the external site’s WHOIS/ICANN records were updated or created in the last year. Filter out records that match known partners/vendors.

Adjust specifics as makes sense and you cut the problem space significantly. The final steps will still need human verification, but there’s no need for this to be manual checks of literal hundreds of records.

lemmyvore@feddit.nl on 27 Feb 2024 05:28 collapse

That’s cute.

  • Assuming all DNS records are in one place.
  • “External site” means nothing.
  • Ping response means nothing.
  • Register date means nothing.
  • Known partners/vendors takes time.

In a large organization it will take months to track down all this stuff to make sure a subdomain should or should not be there, pointing at a domain that should or should not be there.

Nobody will risk taking anything down with multi-million dollar advertising campaigns potentially riding on each one. If you’re not familiar with how these campaigns work, they work like hot shit: they pay everything in advance and then put together all the technical details. Sometimes literally the night before the campaign is supposed to begin.

So what you see now in DNS may be obsolete, or it may be valid, or it may be from an upcoming campaign. Gotta dig through contracts and crawl the corporate structure to figure it out.

Also, there’s no big enough incentive to fix this. Spam for third parties? Eh, fuck 'em. Until it grows into something bad enough for the FBI to get involved they won’t care.

BearOfaTime@lemm.ee on 27 Feb 2024 14:44 collapse

Nobody will risk taking anything down

Anyone who hasn’t worked in enterprise simply doesn’t understand this aversion to risk. Above all else, don’t break something.

Too many techies think “well, then we’ll fix it”. Umm, no.

FunkPhenomenon@lemmy.zip on 27 Feb 2024 06:08 collapse

if you open the email in your spam folder and click on the links contained therein, you cant blame anyone other than yourself for what happens next