Home Cyber Security Domain Deception: Abandoned Domains Leveraged by Malicious Actors to Outwit SPF and DMARC Defense Mechanisms

Domain Deception: Abandoned Domains Leveraged by Malicious Actors to Outwit SPF and DMARC Defense Mechanisms

admin
-
0
Domain Deception: Abandoned Domains Leveraged by Malicious Actors to Outwit SPF and DMARC Defense Mechanisms

Researchers have identified a persistent threat where malicious actors consistently succeed in spoofing sender email addresses, perpetuating various malspam campaigns.

Bogusly spoofing the sender’s email address is generally viewed as an attempt to enhance the digital message’s credibility and bypass security measures that would otherwise detect it as suspicious.

As DomainKeys Recognized Mail, Area-based Message Authentication, Reporting and Conformance, and Sender Coverage Framework have successfully thwarted spamming efforts by preventing spoofing of prominent domains, spammers are increasingly exploiting abandoned, neglected domains in their campaigns.

In this case, emails are susceptible to circumventing age-based safety protocols designed to detect and prevent spam.

A risk intelligence agency has disclosed in a recent assessment that threat actors, including APT1 and others, have exploited several of its dormant, unused top-level domains (TLDs) that haven’t hosted content in nearly two decades.

The company noted that they lacked crucial DNS data, including details occasionally employed to authenticate senders’ identities, such as Sender Coverage Framework (SPF) information. “The domains reside in a selection of well-established and highly regarded top-level domains.”

A sophisticated marketing effort has been underway since at least December 2022, involving the dissemination of emails with attached files containing QR codes that ultimately link to fraudulent online platforms masquerading as legitimate sites. The system prompts users to access the attached file and utilize the Alipay or WeChat mobile applications to capture the QR code for subsequent processing.

The emails employ tax-themed enticements crafted in Mandarin, with an added layer of security involving a four-digit password embedded within the email body, which is used to lock access to QR code documentation. In one instance, a malicious phishing website demanded that customers provide sensitive identification information and credit card details, ultimately facilitating an unauthorized payment to the perpetrator.

According to Infoblox, while campaigns using abandoned domains may be reminiscent of Muddling Meerkat, they primarily mock random domains, including non-existent ones. “The actor can utilize this feature to avoid receiving duplicate emails from the same sender, thereby streamlining their communication workflow.”

The corporation has identified phishing schemes mimicking well-known brands such as Amazon, Mastercard, and SMBC, aiming to deceive victims into accessing fake login pages via traffic distribution tactics, ultimately targeting sensitive information. The following electronic mail addresses, identified as utilizing spoofed sender domains, are listed below:

  • ak@fdd.xpv[.]org
  • mh@thq.cyxfyxrv[.]com
  • mfhez@shp.bzmb[.]com
  • gcini@vjw.mosf[.]com
  • iipnf@gvy.zxdvrdbtb[.]com
  • zmrbcj@bce.xnity[.]internet
  • nxohlq@vzy.dpyj[.]com

Spammers employ an even more nefarious tactic when exploiting email recipients, as they threaten to release compromising video recordings unless victims pay a hefty sum of $1,800 in Bitcoin, allegedly acquired through the installation of a remote-access Trojan horse on unsuspecting individuals’ devices.

The cybercriminal spoils the target’s personal email address by challenging them to authenticate it, claiming that their device has been compromised. In a fabricated email, they feign evidence by stating the message originated from the victim’s own account.

As of early September 2024, an authorized disclosure has revealed that authorities and the building sector are targeted by a newly emerged phishing campaign known as Butcher Store, which is designed to steal Microsoft 365 login credentials.

According to Obsidian Safety, attackers exploit trusted digital tools such as Canva, Dropbox’s DocSend, and Google’s Accelerated Mobile Pages (AMPs) by hijacking these platforms to re-route unsuspecting users to fraudulent websites. The various channels have been exploited through compromised email accounts and vulnerable WordPress sites.

“Before presenting a phishing webpage, companies use a customized webpage featuring a Cloudflare Turnstile to verify the user’s humanity.” These turnstiles enable the implementation of robust electronic mail security measures, such as URL scanners, that can effectively identify and flag potential phishing websites.

Recently, a surge in SMS-based phishing attacks has been observed, with fraudsters posing as officials from law enforcement agencies in the United Arab Emirates (UAE). To process and dispatch fake fee notices for non-existent visitors, parking infractions, and licence renewal applications. Multiple bogus websites have been linked to a recognized threat actor.

In the Middle East, banking prospects are being targeted by a sophisticated social engineering scheme that masquerades as authority figures over the phone and exploits remote access software to pilfer credit card information and one-time passwords.

The marketing campaign, attributed to an anonymous author claiming native proficiency in Arabic, appears to have been designed primarily for women who’ve had their personal data compromised through online leaks on the dark web.

“A malicious scheme has been identified, targeting individuals who have previously lodged complaints with federal agencies about online purchases or services through the government’s portal or mobile app, highlighting the vulnerability of consumer complaints being exploited by scammers.”

The scammers prey on unsuspecting consumers’ eagerness to rectify disappointing buying experiences by following orders, attempting to secure refunds for subpar products.

Notably, Cofense identified another malicious marketing effort, wherein scammers sent emails purporting to be from the U.S. Social Security Administration (SSA), embedding links that allegedly installed ConnectWise remote access software or directed users to credential-harvesting pages.

As a stark reminder of the evolving nature of cybercrime, a recent report reveals that generic top-level domains (gTLDs) such as .prime, .xyz, .store, .vip, and .membership have accounted for an alarming 37% of reported cybercrime domains between September 2023 and August 2024, despite comprising only 11% of the entire domain name market.

Malicious actors have found these domains to be lucrative due to low operational costs and lax registration requirements, providing an open invitation for exploitation. Among the numerous generic top-level domains (gTLDs) frequently employed for illicit activities online, a notable 22 offered registration fees under $2.00.

Malicious actors have been discovered propagating a harmful WordPress plugin, dubbed PhishWP, designed to create customisable phishing pages masquerading as trusted payment gateways, such as Stripe, with the intent to pilfer sensitive financial information via Telegram.

According to a recent report by SlashNext, attackers can successfully compromise established WordPress websites or create fake ones to infiltrate them. “After setting up the plugin to mimic a genuine payment gateway, naive users are tricked into revealing sensitive financial information.” The malicious plugin rapidly gathers sensitive information and transmits it directly to cybercriminals in real-time.

Discovered this text fascinating? Follow us on social media and stay updated on our latest unique content!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

© Newspaper WordPress Theme by TagDiv