At Red Sift, we have been paying close attention to SubdoMailing – a domain takeover attack first discovered in February of 2024. Malicious actors exploited poorly maintained DNS records to send fraudulent emails impersonating legitimate brands.
We identified affected organizations in our customer base and resolved the issue for all impacted users within 72 hours.
The attack was widely reported to have been carried out by a single group of Israeli hackers sending spam driving readers to fake websites that were used to generate ad revenue. Since February we have been conducting our own analyses of the attack and believe that multiple groups are using SudboMailing to send fraudulent mail on behalf of legitimate brands.
Let’s dive into the research.
Patterns in Domain Names
By analyzing various signals, we compiled an extensive dataset of poisoned domains – or domains included in the DNS of legitimate brands that were exploited by malicious actors. This article presents our findings from a comprehensive analysis of a sample of 6,225 domains, with 4,527 of them still active. Each active domain includes a list of IP ranges in their SPF record, encompassing IPs recursively retrieved from `include` statements.
These poisoned domains are recently registered. The attackers have different strategies for naming them. We highlight the following 4 strategies and list a few examples that we discovered in our analysis.
1. Impersonation: Mimicking Popular Brands and Services
In this strategy, bad actors used a typo-squatting strategy. They registered domains that were similar to popular brands or services that could have been mistyped into an organization’s DNS – thus giving them the ability to send mail on the organization’s behalf. While the list is extensive, here are a handful of examples we discovered.
Big brands
- Google
- ghs.gglehosted.com
- ghs.googlehoste.com
- ghs.google-hosted.com
- ghs.google hosted.co
- Microsoft
- clientconfig.microsofonline-p.net
- clientconfig.microsoftoneline-p.net
- clientconfig.microsoftonlie-p.net
- Amazon
- amazoses.com
- amasonses.com
- amazanpro.in
- Marketo: 97 domains with the following format
- mkto-ab010016.com
- mkto-ab020157.com
- mkto-ab030101.com
- Shopify
- xmyshopify.com
- shopsmyshopify.com
Email/Internet-related brands
- HubSpot
- hubspotemails.net
- 26282125hubspotemail.net
- Mailjet
- spfmailjet.com
- spf-mailjet.com
- Barracuda Networks
- barracudaneworks.com
- SendGrid
- sendgrd.net
- sengdrid.net
- sengride.net
- Squarespace
- squaresspace.info
- sqaurespace-mail.com
General internet services
- Nameserver
- onestopsocial.media.atnameserver.icu
- luxuryvilla.ru.atnameserver.icu
- Register servers
- registar-servers.com
- registrat-servers.com
2. Word Combinations: Generating Domains from English Terms
In this strategy, a domain name is a concatenation of a few words in English. The number of words vary, but between 2 and 4. If words are randomly selected from a dictionary, it’s unlikely that they will make sense when put together. In our analysis, we found that while 2-word domains may sound odd, most 3-4 word domains do make sense.
- ailplug.com, chancecolon.com, woundfraction.com
- bestdinnerideas.com, connectviaweb.com, fastcashloans.me
- air-conditioner-with-heater.com, simplythebestevent.co.uk, workfromhomedigital.com
3. Word Mutations: Altering Uncommon English Words
The process starts with a base word then adds, removes or substitutes one or two letters to create a typo version, increasing the chance of successful domain registration. Some observations:
- The majority domain lengths are around 10 within plus/minus 2.
- Words are often rare or used in scientific domains such as medical.
Examples:
- chromatop (chromatope), despoliat (despoilate), hypnophob (hypnophobia)
- mancipator (emancipator), ntecedency (antecedency), riminogenic (criminogenic)
- pelalagrin (pelaggrin), demaguogies (demagogues), mainvbstream (mainstream)
4. Subtle Patterns: Generating Semi-Random Domain Names
A large number of domains do not look completely random but subtle patterns exist.
Examples:
- Including numbers: 139come.com, 1paket.net, 20xx.gg
- Abbreviation: mailsvrc3.com, mccsv.net, mfka.at
- Non-English: benghalensis.com, juani.me, luezhaoxun.com
Discussion
We made two notable observations.
In an SPF lookup tree, a leaf node is a domain that specifies IPs explicitly in its SPF record, whereas an intermediate node is a domain that uses the include mechanism. The majority (56/59) of domains listed as examples of Strategy 1 (popular brands and services) are intermediate nodes. These intermediate nodes include other domains that seem to be generated using word combinations (Strategy 3) or less obvious patterns (Strategy 4). Below are the SPF trees for ghs.google-hosted.com and clientconfig.microsoftonline-p.net. All the nodes on the right side of the figures are leaf nodes with explicit IP mechanisms in their records.
The second observation concerns domains generated through the mutation of English words (Strategy 3).
- All these domains are leaf nodes.
- They are not included in any other domains and exist as flat structures.
- The SPF records for these domains typically contain a very small number of IP addresses compared to other domains. Usually, they include up to 8 IP addresses, with a few exceptions that have 256 IP addresses (one /24 subnet).
The most important takeaway: These domains are substantially different from the others in multiple ways so it’s likely that they belong to a separate group of attackers.
Exploring Shared IP Addresses
In our analysis of 4,527 active domains, we identified only 938 unique SPF records. This indicates that many domains either share identical SPF records or have significant overlap in IP addresses. Our goal is to further investigate and map out the IP address sharing patterns in our collected data.
Extracting IP Addresses from SPF Records
To extract IPs from SPF records, we followed these steps:
- For records containing explicit IPs, the process is straightforward (e.g., v=spf1 1.2.3.4/30).
- For records using the include mechanism, we recursively resolved the included domains to gather all associated IPs (e.g., v=spf1 include:domain1.com include:domain2.com).
Visualizing the Domain Network
From there, we are able to build a network of domains where a node is a domain or group of domains that have the same SPF record. Two nodes have a connection if they share some IPs.
- Node size represents the number of domains sharing the same SPF record. The largest group in our dataset includes 399 domains with the SPF record v=spf1 include:countrymessage.com include:whenstocks.com -all.
- Edge size indicates the number of IPs shared between two domain groups.
- Node color represents clusters where nodes within the same cluster have stronger connections compared to nodes in other clusters. Details on clustering are provided later.
Simplifying the Network for Clarity
To enhance clarity and focus on significant connections, we apply several operations:
- Merging overlapping domains: Domains with highly overlapping IP addresses are merged.
- Visualizing the largest component: Most domains are interconnected through various hops. We display only the largest connected component.
- Filtering weak connections: Edges representing fewer than 128 shared IPs are removed, highlighting the ‘strong’ network.
Understanding the Clusters
Local Dense Connections
We used a community detection algorithm to identify clusters. Each cluster centers around a large domain group (large nodes), typically including intermediate domains. These intermediate domains may recursively include other intermediate or leaf domains, forming dense clusters. Leaf domains can share IPs with those in other clusters, connecting the clusters together.
Clusters make sense in terms of IP sharing. But what other characteristics do these clusters exhibit?
Domain Name Generation
Clusters comprise a mix of intermediate and leaf domains. Notably, the 59 brand domains are distributed across all clusters. Domains generated through word mutation are not visible in this visualization as they include few IPs and are filtered out.
Autonomous System Number (ASN)
An ASN (Autonomous System Number) is a unique identifier assigned to each autonomous system (AS) on the internet. An AS is a collection of IP networks and routers managed by a single organization that follows a common routing policy. Our analysis reveals that ASNs are distributed unevenly across different clusters, indicating diverse organizational controls in the entire attack.
Cluster | Top ASN 1 | Top ASN 2 | Top ASN 3 |
1 | IONOS SE (10.32%) | Xiamen (9.56%) | AS-CHOOPA (7.36%) |
2 | IONOS SE (54.13%) | Shenzhen Tencent Computer Systems Company Limited (14.18%) | Scaleway S.a.s. (10.64%) |
3 | AS-COLOCROSSING (11.10%) | velia.net Internetdienste GmbH (6.01%) | MEVSPACE sp. z o.o. (3.43%) |
4 | Teknet Yazlim Ve Bilgisayar Teknolojileri (15.78%) | Unidentified (11.39%) | ASN-QUADRANET-GLOBAL (8.84%) |
5 | Locaweb Servicos de Internet SA (24.46%) | AMAZON-02 (24.04%) | Dattatec.com (13.37%) |
6 | Unidentified (14.37%) | EZZI-101-BGP (6.88%) | velia.net Internetdienste GmbH (6.59%) |
Where do we go from here?
Analyzing a complex attack like SubdoMailing is no simple undertaking. But, our research indicates that SubdoMailing is simply one tactic used by groups around the world to send spam and impersonate legitimate brands.
We continue to work with others across the industry to better understand the widespread nature of the attack and will continue to share periodic updates.
If you are interested in understanding if your brand has been impacted by SubdoMailing, try Red Sift’s SPF Checker. We have also recently announced DNS Guardian – a new feature in Red Sift OnDMARC that security teams can use to swiftly identify and stop domain takeovers that lead to spam.
