Email icons over phone showing ad fraud and domain security

Massive Ad Fraud Campaign Sends Million of Spam Emails from Thousands of Hijacked Reputable Domains

A massive ad fraud campaign leverages thousands of hijacked legitimate domains and subdomains to send millions of spam emails daily and generate revenue for threat actors.

Dubbed “SubdoMailing,” the “highly coordinated” campaign distributes malevolent adverts to earn fraudulent clicks for “Ad network” clients.

Active since September 2022, the campaign involves hijacking no-longer registered or abandoned domains and subdomains belonging to reputable brands to send spam from attacker-controlled infrastructure.

Guardio Labs learned of the malicious email campaign after detecting “unusual patterns in email metadata, particularly concerning SMTP servers and their authentication as legitimate senders.”

SubdoMailing ad fraud campaign rakes in substantial revenue

The threat actor sends malicious emails with embedded links past spam filters into victims’ primary inboxes. When clicked, the malicious links redirect the victims through different domains, generating ad views and earning revenue for the threat actors.

The redirection mechanisms also check geographic location information and device types to deliver tailored content and maximize ad profit.

The attackers also attempt to increase their earnings by monetizing the traffic through affiliate links or simply defrauding the victims through online scams and malware-based financial account takeovers.

“This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly,” the researchers said.

Guardio Labs researchers did not quantify the threat actor’s revenue from the extensive ad fraud campaign.  However, they noted that the ad fraud campaign was characterized by “significant expenditure and substantial revenue.”

Ad fraud leverages abandoned domains and subdomains

The researchers discovered complex DNS record manipulation, allowing threat actors to disseminate spam under false authorization by reputable brands through domain and subdomain hijacking. The process usually occurs through CNAME hijacking and SPF (Sender Policy Framework) takeover.

In classic CNAME hijacking, the attackers search for a subdomain with a dangling CNAME record pointing to a no longer registered domain and register it with Namecheap.

“Almost all are registered with a single domain registration service — Namecheap, known for being the house of many of the most scammy TLDs,” the researchers stated.

In one case, threat actors registered a domain abandoned over 22 years ago whose CNAME records still pointed to an inactive MSN subdomain to send spam from msn.com from a Kyiv, Ukraine-based IP address.

Although “CNAME-hijacked” domains could host phishing pages, the researchers have not observed threat actors exploiting that possibility.

In an SPF takeover attack, the threat actor searches for a domain with an SPF record with the “include:” option pointing to an external domain that is no longer registered.

According to the researchers, the “include:” syntax “allows expanding the IP list of approved senders using other domains’ SPF records — up to 10 recursive domain resolves that are allowed by the protocol.”

Again, they register the domain, allowing them to send spam emails seemingly authorized by the targeted reputable domain. The threat actor can also create an SMTP server and send malicious or spam emails directly from their infrastructure.

In another case, threat actors sent spam emails from a famous watch brand’s domain, www.swatch[.]com, by injecting their IP into the domain’s SPF records.

Additionally, the threat actors take advantage of DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC), instructing secure email gateways that the messages are legitimate and not spam.

Guardio researchers also found threat actors bypassing URL-based security controls using QR codes, crafting emails as images to evade text-based filters, or leveraging reputable email delivery services like SendGrid.

They attributed the ad fraud campaign to a threat actor called ResurrecAds, known for reviving dead domains and maintaining an extensive infrastructure of domains, hosts, SMTP servers, IP addresses, and private residential ISP connections.

“This entity appears to be systematically scanning the internet for vulnerable domains, identifying opportunities, purchasing domains, securing hosts and IP addresses, and then meticulously orchestrating the ongoing campaign of email dissemination.”

Reputable brands impacted by the ad fraud campaign include ACLU, Cornell University, McAfee, Symantec, VMware, Java.net, NYC.gov, MSN, The Economist, CBS, Better Business Bureau, PWC, Pearson, Unicef, eBay, and Marvel.

“Continuous, proactive monitoring of an organization’s digital footprint, coupled with rigorous inspection of security controls, is paramount in identifying and mitigating potential vulnerabilities before they can be exploited,” recommended Rahul Powar, CEO at Red Sift.

The scope of the SubdoMailing ad fraud campaign

The ad fraud campaign involves 21,911 unique IP addresses, a thousand of which are ISP residential lines or proxies. The IP addresses host an extensive network of SMTP servers, sending over 5 million malicious email messages daily via 8,000 hijacked domains and 13,000 subdomains.

With over 100 domains being hijacked daily, Guardio Labs researchers warned that the campaign could be more extensive than anticipated.

“Upon unraveling this malicious scheme, the sheer scale of the operation became apparent. It extends far beyond the thousands of compromised domains and DNS records previously identified.”

Meanwhile, Guardio Labs has launched a SubdoMailing checker site to assist organizations in detecting if their domains have been hijacked to send malicious emails.