TuesdayTool 13: GuardioLabs SubdoMailing Checker
Introduction
Recently, notable brands fell victim to a massive ad fraud campaign called “SubdoMailing”. It is a campaign that was recorded to have used over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. Read the full story here. As a threat intelligence specialist, I have noticed malvertisement campaign trend since last year and it has become a major brand intelligence concern.
What then is SubdoMailing?
SubdoMailing is a threat that allows threat actors to hijack abandoned subdomains and domains belonging to well-known companies to send their malicious emails. SubdoMailing suceed because the hijacked domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam.
How to detect SubdoMailing?
Today’s tool series bring a new tool called “GuardioLabs SubdoMailing Checker”
“GuardioLabs SubdoMailing Checker” is a website designed by Guardio to empower domain owners to reclaim control over their compromised assets and shield themselves against such pervasive threats. It helps domain owners to detect if their domain has been hijacked and used for ad fraud campaign and other related threats.
As one of my mentors will say “Prevention is good but detection is a must”. GuardioLabs SubdoMailing Checker assist organization’s to detect as well as provide recommendations to recover their hijacked domains. The web application tool “GuardioLabs SubdoMailing Checker”is updated time to time to provide the latest detection.
How to use GuardioLabs SubdoMailing Checker?
Users can easily use GuardioLabs SubdoMailing Checker without registration. Usage can be achieved through:
- Visit the web application here
- Type your organization or any domain URL into the check box
- Click Check
If domain matches any their record, it displays how many subdomain(s) was hijacked, the subdomain(s) hijacked and the date it was hijacked.
Users can click on “What should I do”under the information provided relating to the hijacked domain. This will take the user to guard.io/subdomailing#take-action-section where the user will be expected to type in the same domain. Afterwards it will provide recommendations.
Recommendations
Brand intelligence will save your organization from several threats including subdomailing. Once confirmed that your domain has been hijacked, do the following as suggested by GuardioLabs.
- Monitor all your CNAME records: your CNAME records should only be linked to domains under your control or a third party control. Ensure you remove unused subdomains from your DNS record.
- Monitor your SPF policies: audit SPF records for your main domain and every subdomain.
- Remove permissive SPF settings: avoid misconfiguration that permit all senders, softFail and neutral
- Implement DMARC: set DMARC to quarantine unaligned emails.
Conclusion
GuardioLabs SubdoMailing Checker is a free, intelligent tool that I found interesting. Try check your organization’s SubdoMailing status and don’t forget to comment your experience.
Till I come your way again next week Tuesday, #BeCyberSmart
Cyberliza writes TuesdayTool
