Domain hijacking is a critical cybersecurity concern where attackers unlawfully gain control over a domain or subdomain, potentially damaging a business’s reputation and operations. We’ll explore how such incidents occur, their impact, and the specific case of the ResurrecAds massive spam campaign, highlighting the risks associated with neglected subdomains. Like with most cybersecurity threats, staying informed and being proactive is the best way to prevent becoming a victim.
Table of Contents
What Is Domain Hijacking?
Domain hijacking happens when someone unlawfully takes control of a domain or registers an inactive subdomain, which can harm the rightful owner’s business and reputation. Attackers often use tricks like phishing or exploit security flaws to access and change the domain’s settings. They also use scanners to detect abandoned subdomains, after which they register them and use them for cyberattacks. That can lead to lost business, leaked data, and damaged customer trust.
An Overview of the Domain Hijacking Incident
The cyberattack campaign by a threat actor called ResurrecAds involved sending over 5 million emails daily from around 8,000 internet domains and 13,000 subdomains. It has exploited well-known brands such as Marvel, eBay, McAfee, Java, MSN, CBS, and many more since it was first identified in September 2022. The domain hijacking strategy has been called SubdoMailing due to its heavy usage of subdomains in email spam.
With web browser phishing tripling since 2023, this type of attack uses a similar tactic involving subdomains of trusted domains. Most of the websites used in this attack were still active but had several inactive subdomains. For example, Marvel movies commonly set up temporary subdomains as part of their movie promotions, but they may stop being used after a few years.
Email systems and search engine crawlers view these subdomains as verified sources. That’s made it easier for threat actors to send emails containing ads, phishing links, and malware. As part of that spam campaign, they’ve also been using image-based content to help avoid triggering spam detection. While spam image filtering is in development, and some studies have shown early success rates of over 99%, it’s still not a widely available solution.
Who Is ResurrecAds?
ResurrecAds is a cybersecurity threat actor known for its email hijacking scheme. They target inactive or less monitored subdomains of reputable organizations to conduct spam campaigns. While detailed information about the group’s origins, members, or operational tactics remains limited, their impact is notable. They utilize these subdomains to bypass email authentication methods, sending out phishing emails and spreading spam under the guise of legitimate entities. The anonymity and elusive nature of the group has made them more difficult to detect and counter.
Why Domain Hijacking Is Hard To Detect
Domain hijacking is often overlooked because it mimics regular admin activity. Attackers subtly alter DNS and domain settings, making their actions seem legitimate and avoiding immediate detection. This stealthiness can cause significant delays in identifying unauthorized access, especially since routine security checks might not catch these minor yet critical changes.
Many organizations also don’t track their inactive subdomains, leaving a door for hijackers to register them. Without routine monitoring, having them hijacked may go unnoticed for months. To safeguard against these risks, companies should maintain vigilant renewal practices and conduct frequent, thorough checks of their domain registration and DNS settings, ensuring they remain secure against unauthorized changes or takeovers.
Who Is Most Vulnerable to This Type of Cyberattack?
Businesses with outdated or minimal security for domain registrations are particularly vulnerable to domain hijacking. That includes small and medium-sized enterprises that might not have strong cybersecurity measures. Neglecting to update domain registration details or failing to use security features are more open to attacks.
High-profile companies and individuals are also at risk due to the value their domains hold for malicious actors. Additionally, entities that do not monitor their inactive subdomains present opportunities for hijackers to register these lapsed domains. During mergers or administrative shifts, when domain management might be sidelined, the risk of hijacking increases. Therefore, constant vigilance and updated security practices are crucial to countering this threat.
How To Reduce the Chance of Domain Hijacking
Domain hijacking poses a real threat to any business online. If attackers take control of your domain or subdomain, the repercussions can be severe, affecting your reputation and finances. Here are a few things you can do to reduce the chance of becoming a victim:
Update Your Info: Make sure your domain’s registration details are current. The key here is the email linked to your domain – it’s crucial for receiving alerts and recovering access.
Lock It Down: Use your registrar’s domain locking feature to stop unauthorized transfers. This simple step can add a significant barrier against hijackers.
Strengthen Your Passwords: Use complex, unique passwords for your domain accounts. Change them periodically and consider a password manager to keep track of them.
Keep an Eye Out: Regularly check your inactive subdomains, along with your primary domain’s WHOIS data and DNS settings. Look for unexpected changes that could indicate tampering.
Educate Your Team: Make sure everyone knows the basics of domain security. They should know how to spot red flags and whom to notify if something seems off.
Set Up Auto-Renew: Automating your domain’s renewal can prevent it from accidentally expiring and falling into the wrong hands.
Turn on MFA: Adding a second layer of security with multi-factor authentication (MFA) can make a big difference. It ensures that your domain remains protected even if a password is compromised.
Choose a Trusted Registrar: Work with a domain registrar with a strong security and customer service reputation. They can be your ally against potential threats.
Following these tips can lower the chance of falling for a domain hijacking attack. The best way to prevent a cyberattack is by being proactive and preventing incidents before they have a chance to happen.
How To Check if Your Subdomain Has Been Hijacked
To keep your domains and subdomains safer, it’s crucial to check for any signs of hijacking regularly. Guardio Labs offers a specialized tool for this purpose, which can be accessed here:
Guardio Labs SubdoMailing Checker
This tool helps you determine if your domain or subdomains might have been compromised or utilized in spam campaigns like SubdoMailing. By entering your domain details, you can quickly ascertain if there has been any unauthorized use, allowing you to take timely action to protect your digital assets.
