Infoblox Threat Intel Research Sheds Light On The Use Of Spoofed Domains In Malicious Spam Campaigns
9 January 2024
Infoblox Threat Intel researchers have discovered new insights into the use of spoofed domains in modern malicious spam (malspam) campaigns, sending unsolicited emails that contain harmful attachments or links designed to infect the recipient's computer with malware or to steal sensitive information. This reveals how threat actors exploit domain spoofing and how pervasive this technique is. The information was gathered through a collective effort following the initial Muddling Meerkat research, with various individuals sharing data showing Muddling Meerkat behavior with the researchers. This underscores the importance of collaborative efforts in cybersecurity, as sharing data and insights can lead to significant discoveries and improvements in threat detection and mitigation.
Key Findings:
- Domain Spoofing in Spam: Threat actors fake (spoof) the sender address of an email to make it appear more legitimate. By using old, neglected domains, they can evade security mechanisms that check the sender domain age to identify malicious spam. The catch: While there are several mechanisms designed to protect users from spam in general and spoofing in particular, the researchers discovered that spoofing is still widely used.
- QR Code Phishing Campaigns: These campaigns target residents of greater China, using QR codes in attachments to lead victims to phishing sites. The campaigns also leverage registered domain generation algorithms (RDGAs) to create short-lived domains.
- Japanese Phishing Campaigns: Targeting Japanese users, these campaigns impersonate popular brands like Amazon and SMBC (one of the largest banks in Japan) to steal login credentials. The attackers use traffic distribution systems (TDS) to redirect victims meeting the right criteria to fake login pages and avoid detection by security companies.
- Extortion Campaigns: These campaigns claim that the recipient's device has been compromised and demand payment in Bitcoin to avoid the release of embarrassing information. The spoofing here comes with a twist: The attackers spoof the recipient's own email address to appear more convincing.
If you like mysteries, there is still one left after the research: A perplexing spam campaign purportedly from "Shanghai Yakai", the name of a Chinese freight company, that sends seemingly harmless Excel attachments with no clear purpose. Despite frequent appearances, these emails lack any call to action, leaving us to wonder about the true motive behind this enigmatic operation. What could be the reason for such an elaborate yet seemingly pointless effort?