Figure that it’s a typical day and you’re going through your email inbox, coffee in hand, and a familiar company catches your eye. No problem, you know who they are. Let’s see what they have to say.
But as you might imagine in an article like this, there’s more to it than that and danger is lurking. How? You’ve been safe, checked the email domain and all looks legit.
Enter SubdoMailing. The latest trick cybercriminals are using to trick you into thinking they are someone they’re not.
All phishing emails pretend to be somebody you already trust. That’s the nature of their social engineering. So what makes SubdoMailing different than other email attacks? And it might just be the most dangerous phishing attack yet.
What is SubdoMailing?
Subdo is short for Sub-Domain. SubdoMailing is the attack strategy of taking over a legitimate subdomain and using it to evade spam detection and deceive email recipients.
What’s a subdomain? You’ve seen some addresses that have a word before the domain address, right? Something like “shop.amazon.com” is an example, where “shop” is the subdomain of “amazon.com”.
There are many phishing attacks that try to pose as a trusted brand, using a fake domain they purchased like “annazon.com”, where they use two n’s instead of an m. If you don’t look carefully, you might not notice and they can get you.
But being careful and observant will always reveal their trick, and of course the domain is actually different than who they are pretending to be so email security can catch them as well.
How does SubdoMailing work?
This is where SubdoMailing is different. Cyber criminals are using old, legitimate subdomains that are no longer active in their attacks.
They find an unused subdomain that is linked to an old, external domain where registration has expired. Then they buy the domain and set up a fake site.
Next, they send out phishing emails pointing you to their fake site, where they use you to make money. It can be something like quiz scams to gain your personal information (like common account security questions), phishing sites to steal your credentials, malware downloads and even hitting you with adware so they make some money while they are scamming you as well.
Why is SubdoMailing more dangerous than other phishing attacks?
This process bypasses boatloads of email security because “shop.amazon.com” is a known legitimate subdomain. (note: I am just using this as an example subdomain, I am in no way saying that shop.amazon.com or amazon.com are compromised and sending phishing scams out). Because it is exploiting something legitimate, this is why it just might be the most dangerous form of phishing attack to date.
It’s a pretty clever trick that most people wouldn’t expect. But how bad can it be? Is it widespread? How bad does domains numbering in the thousands sound? So far there are around 8 thousand big brand domains identified that are being used in this scheme, and 5 million emails are going out every day to people and businesses just like yours and mine.
Everything from cbsnews.com to msn.com has been affected. Owners of these domains are fixing the issues where they can (the cbsnews and msn examples have been fixed as of this writing) but other domains still haven’t, such as bbb.org.
How do you stay safe from SubdoMailing attacks?
My first tip is something you can check to ensure an email you received is safe.
Caveat: this is mildly technical but is very easy for anybody to do. If it’s a bit much, I’ve got some more general safety tips following it so you can just jump to that section.
Check the email’s header for SPF authentication.
If you want more information regarding email authentication, you can read up on our article with an easy to understand breakdown of SPF, DKIM, and DMARC.
Here’s how to check the email header in Outlook. The process will be different depending on email programs or web access, but it should be similar enough to figure out.
In the email in question, click on “File” from the main menu. From there, click on “Info” and then “Properties”. This will bring up a window where the header information is seen at the bottom. See the screenshot for reference.
When you look at the header, you want to look for the SPF record – which should authenticate as “Pass” even in this case (because they are using a legitimate domain).
But you can check the IP address (or addresses) that it is sending from. It can be common for an email server to utilize a few IP addresses for sending, but if there are more than just a few (say, 80 like in some instances of this form of attack) that is a clear indication something is wrong.
You can go one step further and check those IPs with an online resource such as WhoIs or ICANN lookup to see who that IP belongs to.
Ok, like I said, this is something anybody can do but it’s fairly detailed and not just a quick answer. Let’s move on to something a bit more general.
General safety tips:
These are some general ways you can keep your inbox a safer place.
- Always keep an eye out for emails that seem even slightly off. If it looks suspicious, it’s best to trust your gut.
- Before you click any link or download any file, double-check the sender’s details. Be on the lookout for odd spelling errors or strange email addresses.
- Educate your team about the latest phishing schemes. A bit of awareness can significantly bolster your company’s defenses. Simply knowing that SubdoMailing attacks are happening is already a step ahead.
- Upgrade your email security as part of your cybersecurity stance. It might seem like an expense, but it’s really an investment in safety and peace of mind.
If you’ve learned a bit from any of this then I’m glad. It makes you more informed and more secure. If you have other questions or need any assistance with your email security, or any of your cybersecurity concerns, then feel free to reach out and I’d be happy to help.