Decoding the tricks: An analysis of poisoned domains in the SubdoMailing Attack

At Red Sift, we have been paying close attention to SubdoMailing – a domain takeover attack first discovered in February of 2024. Malicious actors exploited poorly maintained DNS records to send fraudulent emails impersonating legitimate brands. 

We identified affected organizations in our customer base and resolved the issue for all impacted users within 72 hours. 

The attack was widely reported to have been carried out by a single group of Israeli hackers sending spam driving readers to fake websites that were used to generate ad revenue. Since February we have been conducting our own analyses of the attack and believe that multiple groups are using SudboMailing to send fraudulent mail on behalf of legitimate brands. 

Let’s dive into the research.

Patterns in Domain Names

By analyzing various signals, we compiled an extensive dataset of poisoned domains – or domains included in the DNS of legitimate brands that were exploited by malicious actors. This article presents our findings from a comprehensive analysis of a sample of 6,225 domains, with 4,527 of them still active. Each active domain includes a list of IP ranges in their SPF record, encompassing IPs recursively retrieved from `include` statements.

These poisoned domains are recently registered. The attackers have different strategies for naming them. We highlight the following 4 strategies and list a few examples that we discovered in our analysis.

1. Impersonation: Mimicking Popular Brands and Services

In this strategy, bad actors used a typo-squatting strategy. They registered domains that were similar to popular brands or services that could have been mistyped into an organization’s DNS – thus giving them the ability to send mail on the organization’s behalf. While the list is extensive, here are a handful of examples we discovered. 

Big brands

  • Google
    • ghs.gglehosted.com
    • ghs.googlehoste.com
    • ghs.google-hosted.com
    • ghs.google hosted.co
  • Microsoft
    • clientconfig.microsofonline-p.net
    • clientconfig.microsoftoneline-p.net
    • clientconfig.microsoftonlie-p.net
  • Amazon
    • amazoses.com
    • amasonses.com
    • amazanpro.in
  • Marketo: 97 domains with the following format
    • mkto-ab010016.com
    • mkto-ab020157.com
    • mkto-ab030101.com
  • Shopify
    • xmyshopify.com
    • shopsmyshopify.com

Email/Internet-related brands

  • HubSpot
    • hubspotemails.net
    • 26282125hubspotemail.net
  • Mailjet
    • spfmailjet.com
    • spf-mailjet.com
  • Barracuda Networks
    • barracudaneworks.com
  • SendGrid
    • sendgrd.net
    • sengdrid.net
    • sengride.net
  • Squarespace
    • squaresspace.info
    • sqaurespace-mail.com

General internet services

  • Nameserver
    • onestopsocial.media.atnameserver.icu
    • luxuryvilla.ru.atnameserver.icu
  • Register servers
    • registar-servers.com
    • registrat-servers.com

2. Word Combinations: Generating Domains from English Terms

In this strategy, a domain name is a concatenation of a few words in English. The number of words vary, but between 2 and 4. If words are randomly selected from a dictionary, it’s unlikely that they will make sense when put together. In our analysis, we found that while 2-word domains may sound odd, most 3-4 word domains do make sense.

  • ailplug.com, chancecolon.com, woundfraction.com
  • bestdinnerideas.com, connectviaweb.com, fastcashloans.me
  • air-conditioner-with-heater.com, simplythebestevent.co.uk, workfromhomedigital.com

3. Word Mutations: Altering Uncommon English Words

The process starts with a base word then adds, removes or substitutes one or two letters to create a typo version, increasing the chance of successful domain registration. Some observations:

  • The majority domain lengths are around 10 within plus/minus 2.
  • Words are often rare or used in scientific domains such as medical.

Examples:

  • chromatop (chromatope), despoliat (despoilate), hypnophob (hypnophobia)
  • mancipator (emancipator), ntecedency (antecedency), riminogenic (criminogenic)
  • pelalagrin (pelaggrin), demaguogies (demagogues), mainvbstream (mainstream)

4. Subtle Patterns: Generating Semi-Random Domain Names

A large number of domains do not look completely random but subtle patterns exist. 

Examples:

  • Including numbers: 139come.com, 1paket.net, 20xx.gg
  • Abbreviation: mailsvrc3.com, mccsv.net, mfka.at
  • Non-English: benghalensis.com, juani.me, luezhaoxun.com

Discussion

We made two notable observations.

In an SPF lookup tree, a leaf node is a domain that specifies IPs explicitly in its SPF record, whereas an intermediate node is a domain that uses the include mechanism. The majority (56/59) of domains listed as examples of Strategy 1 (popular brands and services) are intermediate nodes. These intermediate nodes include other domains that seem to be generated using word combinations (Strategy 3) or less obvious patterns (Strategy 4). Below are the SPF trees for ghs.google-hosted.com and clientconfig.microsoftonline-p.net. All the nodes on the right side of the figures are leaf nodes with explicit IP mechanisms in their records.

The second observation concerns domains generated through the mutation of English words (Strategy 3).

  • All these domains are leaf nodes.
  • They are not included in any other domains and exist as flat structures.
  • The SPF records for these domains typically contain a very small number of IP addresses compared to other domains. Usually, they include up to 8 IP addresses, with a few exceptions that have 256 IP addresses (one /24 subnet).

The most important takeaway: These domains are substantially different from the others in multiple ways so it’s likely that they belong to a separate group of attackers.

Exploring Shared IP Addresses

In our analysis of 4,527 active domains, we identified only 938 unique SPF records. This indicates that many domains either share identical SPF records or have significant overlap in IP addresses. Our goal is to further investigate and map out the IP address sharing patterns in our collected data.

Extracting IP Addresses from SPF Records

To extract IPs from SPF records, we followed these steps:

  • For records containing explicit IPs, the process is straightforward (e.g., v=spf1 1.2.3.4/30).
  • For records using the include mechanism, we recursively resolved the included domains to gather all associated IPs (e.g., v=spf1 include:domain1.com include:domain2.com).

Visualizing the Domain Network

From there, we are able to build a network of domains where a node is a domain or group of domains that have the same SPF record. Two nodes have a connection if they share some IPs.

  • Node size represents the number of domains sharing the same SPF record. The largest group in our dataset includes 399 domains with the SPF record v=spf1 include:countrymessage.com include:whenstocks.com -all.
  • Edge size indicates the number of IPs shared between two domain groups.
  • Node color represents clusters where nodes within the same cluster have stronger connections compared to nodes in other clusters. Details on clustering are provided later.

Simplifying the Network for Clarity

To enhance clarity and focus on significant connections, we apply several operations:

  • Merging overlapping domains: Domains with highly overlapping IP addresses are merged.
  • Visualizing the largest component: Most domains are interconnected through various hops. We display only the largest connected component.
  • Filtering weak connections: Edges representing fewer than 128 shared IPs are removed, highlighting the ‘strong’ network.

Understanding the Clusters

Local Dense Connections

We used a community detection algorithm to identify clusters. Each cluster centers around a large domain group (large nodes), typically including intermediate domains. These intermediate domains may recursively include other intermediate or leaf domains, forming dense clusters. Leaf domains can share IPs with those in other clusters, connecting the clusters together.

Clusters make sense in terms of IP sharing. But what other characteristics do these clusters exhibit?

Domain Name Generation

Clusters comprise a mix of intermediate and leaf domains. Notably, the 59 brand domains are distributed across all clusters. Domains generated through word mutation are not visible in this visualization as they include few IPs and are filtered out.

Autonomous System Number (ASN)

An ASN (Autonomous System Number) is a unique identifier assigned to each autonomous system (AS) on the internet. An AS is a collection of IP networks and routers managed by a single organization that follows a common routing policy. Our analysis reveals that ASNs are distributed unevenly across different clusters, indicating diverse organizational controls in the entire attack.

Cluster
Top ASN 1
Top ASN 2
Top ASN 3
1
IONOS SE (10.32%)
Xiamen (9.56%)
AS-CHOOPA (7.36%)
2
IONOS SE (54.13%)
Shenzhen Tencent Computer Systems Company Limited (14.18%)
Scaleway S.a.s. (10.64%)
3
AS-COLOCROSSING (11.10%)
velia.net Internetdienste GmbH (6.01%)
MEVSPACE sp. z o.o. (3.43%)
4
Teknet Yazlim Ve Bilgisayar Teknolojileri (15.78%)
Unidentified (11.39%)
ASN-QUADRANET-GLOBAL (8.84%)
5
Locaweb Servicos de Internet SA (24.46%)
AMAZON-02 (24.04%)
Dattatec.com (13.37%)
6
Unidentified (14.37%)
EZZI-101-BGP (6.88%)
velia.net Internetdienste GmbH (6.59%)

Where do we go from here?

Analyzing a complex attack like SubdoMailing is no simple undertaking. But, our research indicates that SubdoMailing is simply one tactic used by groups around the world to send spam and impersonate legitimate brands. 

We continue to work with others across the industry to better understand the widespread nature of the attack and will continue to share periodic updates. 

If you are interested in understanding if your brand has been impacted by SubdoMailing, try Red Sift’s SPF Checker. We have also recently announced DNS Guardian – a new feature in Red Sift OnDMARC that security teams can use to swiftly identify and stop domain takeovers that lead to spam.

PUBLISHED BY

Phong Nguyen

25 Jun. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Security

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more
News

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more
News

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more
News

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more