DUBAI, UAE: Infoblox Threat Intel researchers have discovered new insights into the use of spoofed domains in modern malicious spam (malspam) campaigns, sending unsolicited emails that contain harmful attachments or links designed to infect the recipient's computer with malware or to steal sensitive information. This reveals how threat actors exploit domain spoofing and how pervasive this technique is. The information was gathered through a collective effort following the initial Muddling Meerkat research, with various individuals sharing data showing Muddling Meerkat behavior with the researchers. This underscores the importance of collaborative efforts in cybersecurity, as sharing data and insights can lead to significant discoveries and improvements in threat detection and mitigation.

Key Findings:

  • Domain Spoofing in Spam: Threat actors fake (spoof) the sender address of an email to make it appear more legitimate. By using old, neglected domains, they can evade security mechanisms that check the sender domain age to identify malicious spam. The catch: While there are several mechanisms designed to protect users from spam in general and spoofing in particular, the researchers discovered that spoofing is still widely used.
  • QR Code Phishing Campaigns: These campaigns target residents of greater China, using QR codes in attachments to lead victims to phishing sites. The campaigns also leverage registered domain generation algorithms (RDGAs) to create short-lived domains.
  • Japanese Phishing Campaigns: Targeting Japanese users, these campaigns impersonate popular brands like Amazon and SMBC (one of the largest banks in Japan) to steal login credentials. The attackers use traffic distribution systems (TDS) to redirect victims meeting the right criteria to fake login pages and avoid detection by security companies.
  • Extortion Campaigns: These campaigns claim that the recipient's device has been compromised and demand payment in Bitcoin to avoid the release of embarrassing information. The spoofing here comes with a twist: The attackers spoof the recipient's own email address to appear more convincing.

If you like mysteries, there is still one left after the research: A perplexing spam campaign purportedly from "Shanghai Yakai", the name of a Chinese freight company, that sends seemingly harmless Excel attachments with no clear purpose. Despite frequent appearances, these emails lack any call to action, leaving us to wonder about the true motive behind this enigmatic operation. What could be the reason for such an elaborate yet seemingly pointless effort?

Mohammed Al-Moneer, Regional Director, META at Infoblox  comments, "At Infoblox, we are continuously uncovering new methods that threat actors employ to bypass traditional security measures, and these latest findings from Infoblox Threat Intel on the use of spoofed domains in malicious spam campaigns are a prime example. These attacks highlight how cybercriminals exploit trusted-sounding domains and utilize advanced techniques like domain generation algorithms and QR code phishing to target users. What stands out in this research is the significance of collaboration within the cybersecurity community. The collective efforts of researchers and the sharing of intelligence, such as in the case of Muddling Meerkat, are vital in staying one step ahead of these evolving threats. As attackers become increasingly sophisticated, we must remain vigilant and united in our fight to protect users and organizations from these deceptive campaigns."

The full story can be read here: https://insights.infoblox.com/resources-research-report/infoblox-research-report-muddling-malspam-the-use-of-spoofed-domains-in-malicious-spam

-Ends-

About Infoblox

Infoblox unites networking and security to deliver unmatched performance and protection.