Researchers at Guardio Labs have discovered that a group of spammers is using long-forgotten subdomains from established brands like MSN, eBay, CBS, and Marvel to send out malicious emails. The emails can bypass spam checks and to recipients they look like they come from a legitimate source.
A subdomain is a named sub-division of domain name. For example
my.malwarebytes.com and
www.malwarebytes.com are both subdomains of the
malwarebytes.com domain.
Companies use subdomains for all kinds of purposes, from differentiating marketing campaigns to naming different online systems.
It’s also common practice for companies to create CNAME (Canonical Name) DNS records that alias a subdomain to another domain or subdomain.
For example, the subdomain my.malwarebytes.com is
an easy to read alias for a CloudFront server called
d1ok04i2z9vvoy.cloudfront.net.
When companies use these techniques and don’t clean up their records after they’re done, criminals can take advantage.
The researchers provide the example of
marthastewart.msn.com, which was an alias for the
msnmarthastewartsweeps.com domain.
At some point, MSN no longer needed the
msnmarthastewartsweeps.com domain and stopped paying
for it, but did not remove the CNAME record that alised
marthastewart.msn.com to it.
Criminals discovered the link between the two and bought the
msnmarthastewartsweeps.com domain.
This is bad, as the researchers explain:
This means that the subdomain inherits the entire behavior of
msnmarthastewartsweeps.com, including it’s SPF policy.
The Sender Policy Framework (SPF) is an anti-spam DNS record that sets out what domains and IP addresses can send email for a particular domain.
By registering the old and forgotten alias
msnmarthastewartsweeps.com, the criminals were able to
add their own IP addresses to the SPF record, allowing them to send
spam from marthastewart.msn.com that passes SPF
checks.
Guardio Labs warns that SPF also offers criminals another way to
gain control. SPF’s include: syntax can include a list
of other domain names that are allowed to send emails on behalf of
a domain. If any of the included domains are abandoned, criminals
can buy them up and send email on behalf of the parent domain.
Once the researchers knew what they were looking for they identified thousands of instances of so-called “subdomailing”, encompassing both CNAME and SPF-based tactics and going back at least two years.
The sheer number of hijacked subdomains and available IP addresses is big enough for the criminals to cycle through them to minimize detection and depletion of their “assets.”
As an organization it is important to regularly check your domains for signs of compromise and better manage your online assets—starting with removing unused subdomains and DNS records.
Guardio Labs has created a special subdomailing checker website, allowing domain administrators and site owners to quickly check if any trace of abuse has been found. The researchers note that the checker queries a database with the latest domains impacted by CNAME and SPF-based hijacking. So, a positive result does not mean you are safe, just that you haven’t been hijacked yet.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
