A massive ad fraud campaign named "SubdoMailing" is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising.
The campaign is called "SubdoMailing, as the threat actors hijack abandoned subdomains and domains belonging to well-known companies to send their malicious emails.
As these domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam.
Some notable brands that fell victim to this domain hijacking campaign include MSN, VMware, McAfee, The Economist, Cornell University, CBS, NYC.gov, PWC, Pearson, Better Business Bureau, Unicef, ACLU, Symantec, Java.net, Marvel, and eBay.
These renowned brands involuntarily lend legitimacy to the fraudulent emails and help them pass through security filters.
Clicking on the embedded buttons in the emails takes users through a series of redirections, generating revenue for the threat actors via fraudulent ad views. Ultimately, the user arrives at fake giveaways, security scans, surveys, or affiliate scams.
Guardio Labs researchers Nati Tal and Oleg Zaytsev discovered the ad fraud campaign and reported that the operation has been underway since 2022.
