Millions of fraudulent emails are sent daily by a single malicious actor. And, the worst thing is that they are not always considered undesirable.
Spam and mailboxes are a war that has lasted for many years and does not seem ready to end. These unwanted messages are a real nuisance that everyone wants to avoid, especially since they can be dangerous.
Scams, computer viruses, data theft: this is what email service providers try to prevent us from, generally successfully. But, lo and behold, pirates regularly manage to slip through the cracks, like a certain “ ResurrecAds “.
When eBay notifies you of a new connection to your Facebook account
The researchers of Guardio made a rather interesting discovery while examining email metadata: they uncovered a massive ad fraud campaign allegedly serving more than five million emails per day called ” SubdoMailing “.
This name suggests the main characteristic of this operation: it uses more than 8,000 domain names and 13,000 subdomains, and not just any domain names. Its instigators are able to use the addresses of companies as well-known as eBay, Marvel, MSN, McAfee and even that of New York City authorities, to pass themselves off as a trusted actor. Spam filters are thus more easily fooled, and it can be assumed that many users are just as fooled.
The content of these spam emails is not particularly original and is not necessarily linked to the domain names used. Gardio Labs gives the example of an email posing as a cloud storage service that alerts users that their space is almost full. It then invites you to upgrade to a paid plan offering more GB, all using an address @healthylifes.uk.com. Not very credible, then, but the illusion remains impressive.
An operation in progress for many months
Of course, the links contained in all these emails do not lead to the fake services to deceive users. These are redirected to a series of sites containing numerous advertisements, most of them fraudulent but generating revenue. Ultimately, the most gullible victims will find themselves confronted with web pages promising gifts that do not exist, alarming about false viral threats to their computer, or using any other online scam technique that we are now familiar with. pretty good.
According to Nati Tal and Oleg Zaytsev, Guardio“ ResurrecAds » scans a large number of addresses for CNAME or SPF records pointing to external domains that are no longer in use. When he finds one, he takes possession of it using NameCheap, for example, a perfectly legal web hosting and domain name registration service.
According to the researchers, the offending threat actor operates nearly 22,000 unique IP addresses spread across the globe, with nearly a thousand coming from residential proxies. An operation whose benefits are not yet known, but which would have been in progress since… 2022.
Source : Bleeping Computer
2