Infoblox Threat Intel Research Uncovers Widespread Domain Spoofing Campaigns Targeting Asia
The Infoblox Threat researchers at Intel uncovers fresh information about how spoof domains are used in malspam
Infoblox Threat Intel researchers have discovered new insights into the use of spoofed domains in modern malicious spam campaigns, also known as malspam. The campaigns send unsolicited emails that contain harmful attachments or links designed to infect the recipient’s computer with malware or steal sensitive information. Many of the most prolific threat actors target countries in Asia, specifically Greater China and Japan.
Earlier this year, Infoblox Threat Intel identified Muddling Meerkat, a Chinese threat actor who is capable of controlling China’s Great Firewall. Following the initial research, various individuals shared data on Muddling Meerkat behaviour with the researchers, leading them to uncover multiple malspam campaigns leveraging similar techniques.
Key Findings:
- QR Code Phishing in China: These campaigns target residents of greater China, using QR codes in attachments to lead victims to phishing sites. The campaigns also leverage registered domain generation algorithms (RDGAs) to create short-lived domains.
- Brand Impersonation in Japan: Targeting Japanese users, these campaigns impersonate popular brands like Amazon and SMBC, one of the largest banks in Japan, to steal login credentials. The attackers use traffic distribution systems (TDS) to redirect victims meeting the right criteria to fake login pages and avoid detection by security companies.
- Domain Spoofing Techniques: By using old, neglected domains for their spoofing, threat actors evade security mechanisms that check the sender domain age to identify malicious spam. The catch: While there are several mechanisms designed to protect users from spam in general and spoofing in particular, the researchers discovered that spoofing is still widely used.
- Extortion Campaigns: These campaigns claim that the recipient’s device has been compromised and demand payment in Bitcoin to avoid the release of private information. Deceptively, the attackers spoof the recipient’s own email address to appear more convincing.
“What makes this research valuable is how clearly it reveals the mechanics of domain spoofing in malspam operations,” said Paul Wilcox, VP of APJ for Infoblox. “It is alarming to see how these attacks leverage cultural and technological preferences, such as QR codes and popular local brands, to maximise their effectiveness. Understanding how threat actors exploit these domains gives us actionable insights to help organisations better protect themselves.”
Read the complete analysis of the research here.
