Over 8,000 subdomains of trusted brands hijacked due to massive spam activity

Massive Spam Operation

More than 8,000 subdomains belonging to legitimate brands and institutions have been hijacked as part of a sophisticated distribution architecture to spread spam and monetize clicks.

Guardio Labs has been tracking the coordinated malicious activity, which has been going on since September 2022, under the name SubdoMailing. The emails range from “alerts about the delivery of counterfeit packages to outright phishing for account information.”

The Israeli security company attributed the campaign to a threat actor it names Revival Adsknown to revive dead domains owned or affiliated with major brands, putting an end to the manipulation of the digital advertising ecosystem for nefarious profits.

“’ResurrecAds’ manages an extensive infrastructure that includes a wide range of hosts, SMTP servers, IP addresses and even private residential ISP connections, in addition to many additional domain names,” said security researchers Nati Tal and Oleg Zaytsev said in a report shared with The Hacker News.

In particular, the campaign “leverages the trust associated with these domains to distribute millions of spam and malicious phishing emails every day, cunningly leveraging their credibility and stolen resources to bypass security measures .”

These subdomains are owned or affiliated with major brands and organizations such as ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Symantec, The Economist, UNICEF, and VMware, among others.

The campaign stands out for its ability to bypass standard security blocks, where the entire body is conceived as an image to bypass text-based spam filters, where clicking initiates a series of redirects through different domains.


“These redirects check your device type and geographic location, leading to content tailored to maximize profits,” the researchers explain.

“This could be anything from an annoying advert or affiliate link to more deceptive tactics such as quiz scams, phishing sites or even a malware download aimed at ripping you out of your money in a more direct way.”

Massive spam operation

Another crucial aspect of these emails is that they can also bypass the Sender Policy Framework (SPF), an email authentication method designed to prevent spoofing by ensuring that a mail server is authorized to send email for a particular domain.

It’s not just SPF, the emails also pass through DomainKeys Identified Mail (DKIM) and domain-based message authentication, reporting and compliance (DMARC) checks that help prevent messages from being marked as spam.

Massive spam operation

In an example of a misleading cloud storage warning email highlighted by Guardio, the message came from an SMTP server in Kiev, but was marked as sent from Re**********@ma***********.com.

Further examination of the DNS record for marthastewart.msn.com revealed that the subdomain is linked to another domain (msnmarthastewartsweeps[.]com) with that CNAME record, an aliasing technique previously deployed by advertising technology companies to circumvent the blocking of third-party cookies.

“This means that the subdomain inherits the full behavior of msnmarthastewartsweeps[.]com, including its SPF policy,” the researchers said. “In this case, the actor can send emails to anyone he wants, as if he were MSN[.]com and their approved mailers sent these emails!”

Massive spam operation

It’s worth pointing out that both domains were legitimate and short-term active sometime in 2001, before being left in an abandoned state for 21 years. It wasn’t until September 2022 that msnmarthastewartsweeps started[.]com was privately registered with Namecheap.

In other cases, the hijacking scheme involves the threat actors continuously searching for long-forgotten subdomains with dangling CNAME records from abandoned domains and then registering them to take control of these domains.


CNAME takeover can also have serious consequences when such reputed subdomains are seized to host fake phishing landing pages designed to collect users’ credentials. That said, there is no evidence that any of the hijacked subdomains were used for this purpose.

Guardio said it also found cases where the DNS SPF record of a well-known domain contains abandoned domains associated with defunct email or marketing-related services, allowing attackers to take ownership of such domains, inject their own IP addresses into the record, and ultimately send emails on behalf the main domain name.

In an effort to counter the threat and dismantle the infrastructure, Guardio has a SubdoMailingcontrola website that allows domain administrators and site owners to look for signs of compromise.

“This operation is carefully designed to misuse these resources to distribute various malicious ‘Ads’, with the goal of generating as many clicks as possible for these ‘ad network’ customers,” the researchers said.

“Armed with a massive collection of compromised reputable domains, servers and IP addresses, this ad network deftly navigates the malicious email distribution process, seamlessly switching and jumping between its assets at will.”

#subdomains #trusted #brands #hijacked #due #massive #spam #activity

Notify of
Inline Feedbacks
View all comments
Previous Post
New IDAT Loader attacks using steganography to implement Remcos RAT

New IDAT Loader attacks using steganography to implement Remcos RAT

Next Post
AI Accidents

Three tips to protect your secrets from AI mishaps

Related Posts