Cybersecurity researchers have found that attackers continue to find success by spoofing sender email addresses as part of various spam campaigns.
Forging the sender address of an email is widely seen as an attempt to make a digital message appear more legitimate and bypass security mechanisms that might otherwise flag it as malicious.
While there is guarantees such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC) and Sender Policy Framework (SPF), which can be used to prevent spammers from spoofing well-known domains, this increasingly forces them to use old, derelict domains in their activities.
In doing so, email messages are likely to bypass security checks that rely on domain age as a means of identifying spam.
In a new analysis shared with The Hacker News, threat intelligence firm DNS found that threat actors including A confused meerkat and others, have been abusing some of their old, unused top-level domains (TLDs) that haven’t been used to host content for nearly 20 years.
“They are missing most DNS records, including those commonly used to validate a sender’s domain, such as Sender Policy Framework (SPF) records,” the company said. “Domains are short and in trusted TLDs.”
One such campaign, which has been active since at least December 2022, involves the distribution of emails with attachments containing QR codes that lead to phishing sites. It also instructs recipients to open the attachment and use the AliPay or WeChat apps on their phones to scan the QR code.
The emails use tax-related lures written in Chinese, as well as locking documents with a QR code behind a four-digit password embedded in the body of the email in various ways. A phishing site in one case asked users to enter their ID and card details and then make a fraudulent payment to the attacker.
“While the companies using the neglected domains we see in Muddling Meerkat appear to be widely spoofing random domains, even ones that don’t exist,” Infoblox explained. “An actor can use this technique to avoid repeated emails from the same sender.”
The company said it has also observed phishing campaigns impersonating popular brands such as Amazon, Mastercard and SMBC to redirect victims to fake login pages using Traffic Distribution Systems (TDSes) to steal their credentials. Some of the email addresses that have been identified as using fake sender domains are listed below –
- ak@fdd.xpv(.)org
- mh@thq.cyxfyxrv(.)com
- mfhez@shp.bzmb(.)com
- gcini@vjw.mosf(.)com
- iipnf@gvy.zxdvrdbtb(.)com
- zmrbcj@bce.xnity(.)net
- nxohlq@vzy.dpyj(.)com
A third category of spam involves extortion, where email recipients are asked to make a payment of $1,800 in Bitcoin to delete embarrassing videos of themselves that were recorded using an alleged remote access trojan installed on their systems.
“Actor spoofs user’s email address and urges them to check it and see,” Infoblox. The email tells the user that their device has been hacked, and as proof, the actor claims that the message was sent from the user’s own account. “
The disclosure comes as the legal, government and construction sectors have been targeted since early September 2024 by a new phishing campaign called the Butcher Shop, which aims to steal Microsoft 365 credentials.
The attacks, according to Obsidian Security, abuse trusted platforms such as Canva, Dropbox DocSend and Google Accelerated Mobile Pages (AMP) to redirect users to malicious sites. Some other channels include email and hacked WordPress sites.
“Before displaying the phishing page, a user page is displayed with a Cloudflare turnstile to verify that the user is actually human,” the company said in a statement. said. “These turnstiles make it harder for email protection systems, such as URL scanners, to detect phishing sites.”
In recent months, SMS phishing campaigns have been seen impersonating UAE law enforcement agencies to send fake payment requests for non-existent traffic violations, parking violations and license renewals. Some of the bogus sites created for this purpose were attributed to the famous threat actor called The smiling triad.
Banking customers in the Middle East have also been targeted by a sophisticated social engineering scheme that impersonates government officials in phone calls and uses remote access software to steal credit card information and one-time passwords (OTPs).
The campaign, billed as the work of unknown Arabic speakers, was found to be primarily targeting female consumers whose personal data was leaked via stealing malware on the dark web.
“The scam specifically targets individuals who have previously submitted commercial complaints to the government service portal through a website or mobile app regarding products and services purchased from online merchants,” Group-IB. said in an analysis published today.
“Fraudsters take advantage of victims’ willingness to cooperate and follow their instructions, hoping to receive compensation for their unsatisfactory purchases.”
Another company identified by Cofense includes sending emails purporting to be from the United States Social Security Administration that embed a link to download the installer for ConnectWise remote access software or direct victims to credential collection pages.
The development comes as generic top-level domains (gTLDs) such as .top, .xyz, .shop, .vip and .club accounted for 37% of cybercrime domains reported between September 2023 and 2023. by August 2024, despite only accounting for 11% of the total domain name market, according to a the report from Interisle Consulting Group.
These domains have become lucrative for attackers due to their low prices and lack of registration requirements, opening up opportunities for abuse. Among gTLDs widely used to combat cybercrime, 22 offered registration fees of less than US$2.00.
Criminals were also found to be promoting a malicious WordPress plugin called PhishWP, which can be used to create customizable payment pages that mimic legitimate payment processors like Stripe to steal personal and financial data via Telegram.
“Attackers can either compromise legitimate WordPress websites or configure fraudulent ones to install it,” SlashNext said in a new report. “After configuring the plugin to mimic a payment gateway, unsuspecting users are lured into entering their payment details. The plugin collects this information and sends it directly to the attackers, often in real time.”
