Cybersecurity researchers have found that bad actors are continuing to have success by spoofing sender email addresses as part of various malspam campaigns.
Faking the sender address of an email is widely seen as an attempt to make the digital missive more legitimate and get past security mechanisms that could otherwise flag it as malicious.
While there are safeguards such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) that can be used to prevent spammers from spoofing well-known domains, it has increasingly led them to leverage old, neglected domains in their operations.
In doing so, the email messages are likely to bypass security checks that rely on the domain age as a means to identify spam.
DNS threat intelligence firm, in a new analysis shared with The Hacker News, discovered that threat actors, including Muddling Meerkat and others, have abused some of its own old, disused top-level domains (TLDs) that haven’t been used to host content for nearly 20 years.
“They lack most DNS records, including those that are typically used to check the authenticity of a sender domain, e.g., Sender Policy Framework (SPF) records,” the company said. “The domains are short and in highly reputable TLDs.”
One such campaign, active since at least December 2022, involves distributing email messages with attachments containing QR codes that lead to phishing sites. It also instructs recipients to open the attachment and use the AliPay or WeChat apps on their phones to scan the QR code.
The emails employ tax-related lures written in Mandarin, while also locking the QR code documents behind a four-digit password included in the email body in different ways. The phishing site, in one case, urged users to enter their identification and card details, and then make a fraudulent payment to the attacker.
“Although the campaigns do use the neglected domains we see with Muddling Meerkat, they appear to broadly spoof random domains, even ones that do not exist,” Infoblox explained. “The actor may use this technique to avoid repeated emails from the same sender.”
The company said it also observed phishing campaigns that impersonate popular brands like Amazon, Mastercard, and SMBC to redirect victims to fake login pages using traffic distribution systems (TDSes) with an aim to steal their credentials. Some of the email addresses that have been identified as using spoofed sender domains are listed below –
- ak@fdd.xpv[.]org
- mh@thq.cyxfyxrv[.]com
- mfhez@shp.bzmb[.]com
- gcini@vjw.mosf[.]com
- iipnf@gvy.zxdvrdbtb[.]com
- zmrbcj@bce.xnity[.]net
- nxohlq@vzy.dpyj[.]com
A third category of spam relates to extortion, wherein email recipients are asked to make a $1800 payment in Bitcoin to delete embarrassing videos of themselves that were recorded using a purported remote access trojan installed on their systems.
“The actor spoofs the user’s own email address and challenges them to check it and see,” Infoblox The email tells the user that their device has been compromised, and as proof, the actor alleges that the message was sent from the user’s own account.”
The disclosure comes as legal, government and construction sectors have been targeted by a new phishing campaign dubbed Butcher Shop that aims to steal Microsoft 365 credentials since early September 2024.
The attacks, per Obsidian Security, abuse trusted platforms like Canva, Dropbox DocSend, and Google Accelerated Mobile Pages (AMPs) to redirect users to the malicious sites. Some of the other channels include emails and compromised WordPress sites.
“Before displaying the phishing page, a custom page with a Cloudflare Turnstile is shown to verify that the user is, in fact, human,” the company said. “These turnstiles make it harder for email protection systems, like URL scanners, to detect phishing sites.”
In recent months, SMS phishing campaigns have been observed impersonating law enforcement authorities in the U.A.E. to send fake payment requests for non-existent traffic violations, parking violations, and license renewals. Some of the bogus sites set up for this purpose have been attributed to a known threat actor called Smishing Triad.
Banking customers in the Middle East have also been targeted by a sophisticated social engineering scheme that impersonates government officials in phone calls and employs remote access software to steal credit card information and one-time passwords (OTPs).
The campaign, assessed to be the work of unknown native Arabic speakers, has been found to be primarily directed against female consumers who have had their personal data leaked via stealer malware on the dark web.
“The scam specifically targets individuals who have previously submitted commercial complaints to the government services portal, either through its website or mobile app, regarding products or services purchased from online merchants,” Group-IB said in an analysis published today.
“The fraudsters exploit the victims’ willingness to cooperate and obey their instructions, hoping to receive refunds for their unsatisfactory purchases.”
Another campaign identified by Cofense involves sending emails claiming to be from the United States Social Security Administration that embed a link to download an installer for the ConnectWise remote access software or direct the victims to credential harvesting pages.
The development comes as generic top-level domains (gTLDs) such as .top, .xyz, .shop, .vip, and .club have accounted for 37% of cybercrime domains reported between September 2023 and August 2024, despite holding only 11% of the total domain name market, according to a report from the Interisle Consulting Group.
These domains have become lucrative for malicious actors due to low prices and a lack of registration requirements, thereby opening doors for abuse. Among the gTLDs widely used for cybercrime, 22 offered registration fees of less than $2.00.
Threat actors have also been discovered advertising a malicious WordPress plugin called PhishWP that can be used to create customizable payment pages mimicking legitimate payment processors like Stripe to steal personal and financial data via Telegram.
“Attackers can either compromise legitimate WordPress websites or set up fraudulent ones to install it,” SlashNext said in a new report. “After configuring the plugin to mimic a payment gateway, unsuspecting users are lured into entering their payment details. The plugin collects this information and sends it directly to attackers, often in real-time.”
