TLDR; we detected a sizable number of sub-domain takeovers affecting many educational establishments and some popular domains, a list is provided below.
Things have been very busy around here lately; this week, we’ve quietly released a completely re-written and re-architected backend to our Guardian platform using the experience that we’ve gained in the 5 years since it was first launched and has taken over a year to complete.
This new backend will provide the foundation for Guardian Mail to continue to grow over the coming years, and has already provided some interesting discoveries, and one that I want to share with you now.
Blocking A Spam Gang
For some years now, the team and I have been tracking a fairly prolific spam gang, who have been relatively successful in evading other companies’ spam detection but we have been successfully blocking, thanks to many of our customers sharing anonymised SMTP transaction data with us to help us track this gang.
During the recent testing phase of our new processing infrastructure; we started to see popular domains unexpectedly appearing in our detections related to this particular spam gang.
Upon closer inspection, we discovered that they had taken over portions of some very popular domains by means of dangling CNAME attacks. This is where an attacker discovers a CNAME in a company’s domain which points to a hostname of a domain that has expired, they then register that domain name and set-up infrastructure on that hostname, effectively taking over the sub-domain for themselves.
This is obviously very dangerous for the domains concerned because it opens them up to Phishing and Malware attacks, cookie harvesting, and reputational damage.
Abusix Does Not Gatekeep
Luckily for these domains, in this case, this particular gang appears to simply use the domains to “fly under the radar” to send spam, phishing and malware to others, rather than using these to attack the parent domain, which would likely be far more damaging. They also mixed the infrastructure, making it easier for us to discover other CNAMEs that they had taken over.
At Abusix, rather than gatekeep intelligence like this, our goal is to get stuff shared and taken down, so we’ve copied all the relevant security teams with this information and we’re providing it here to make it known to others.
Here is the list of affected entities, the hostnames and CNAMEs that they point to:
| Entity | Hostname | CNAME |
| San Diego Supercomputer Center (UC San Diego) | brak.sdsc.edu | www.biologicalnetworks.org. |
| University of California (UCLA) | user2014.stat.ucla.edu | ucla.user2014.org. |
| Georgetown University | germs.georgetown.edu | www.georgetownems.COM. |
| SOMMARØY Hotel | meny.sommaroy.no | tasti.store. |
| Heriot Watt University | transition.hw.ac.uk | transitionheriot-watt.org.uk. |
| Olivet Nazarene University | glimmerglass.olivet.edu | onuglimmerglass.com. |
| Vodafone Italy | hackdays.vodafone.it | www.hackdays.it. |
| University of California, Davis (UC Davis) | ucdim.ucdavis.edu | www.ucdim.com. |
| cometh | meta.cometh.io | cometh.auxo.world. |
| Fantasyland Hotel | info.fantasylandhotel.com | fanatyslandhotel.com. |
| UKRAINE FOOTBALL CORPORATION | games.ukrainefootball.net | eforbgames.com. |
| Falmouth University | rane.falmouth.ac.uk | rane-research.org. |
| kingHost | wp.pecil.kinghost.net. | r0ute.ddns.net. |
| The George Washington University | gsehd-online.gwu.edu. | account.hobsonsms.com. |
| Georgetown University | journal.georgetown.edu | digitalleadershipcouncil.com. |
| Illinois Tech | courseconstruct.iit.edu. | courseconstruct.mass-hosting.com. |
| International Data Group | safeguard.idg.com | central.crashpan.com. |
| University of La Verne | dining.laverne.edu | www.lavernedining.com. |
| Kentucky Community & Technical College System | legacy.bigsandy.kctcs.edu. | www.bsctcapps.com. |
| NILU | esticc.nilu.no. | esticc.net. |
| Greenville University | professionals.greenville.edu. | account.hobsonsms.com. |
| New York Medical College | shspprograms.nymc.edu. | account.hobsonsms.com. |
| Bacone College | online.bacone.edu. | account.hobsonsms.com. |
| mail.ru | mystagetv-admin-page.imgsmail.ru. | mystage.tv. |
| University of Bordeaux | www.sb2.u-bordeaux.fr. | synthetic-biology-bordeaux.fr. |
| Connecticut’s Official State Website | cdcsstage.doc.ct.gov. | doccdcsstage.ctdoc.org. |
| King Juan Carlos University | clubdeportivo.urjc.es. | clubdeportivourjc.es. |
| AUDI UK | playout.audi.co.uk | playout.mioeverywhere.tv. |
| CNN Money | m.cnnmoney.com | mcnnmoney.codewithsnow.com. |
| OpenWest | hsctf.openwest.org | utahstatetech.com |
| University of Nice | miage.unice.fr | www.miage-nice.fr |
| Asuqu | marketsquare.asuqu.com | asuqu.stream |
| Liberation | libetwitt.liberation.fr | www.tweetclash.com. |
| Intermarche | producteursdici.intermarche.com | www.demarcheproducteursdici.fr |
| KODI Collective | alliancetitleprint.digitallizard.com | www.alliancetitleprint.com |
| Namogoo | cdn.namogoo.com. | cdn1.nmgcdn.com |
| Essec Business School | campus2020.essec.edu. | www.campus2020.fr. |
| Dave’s Running | store.davesrunning.com. | davesrunning.store.erunsolutions.com. |
| Unknown | www.darkpatternstipline.org. | darkpatternstipline.com |
| Gemological Institute of America | www.logowear.gia.edu. | gia.logsoftwear.com. |
| International Association of Business Communicators | northnz.iabc.com. | www.iabc-northnz.org. |
| MDsave Incorporated | staging-api-documentation.mdsave.com. | hubs.docql.io. |
| Pusan National University | asiahpst2016.pusan.ac.kr. | asiahpst2016.com. |
| NEXT University | promo.nextuniversity.com. | ubouncepages.com. |
| Université Laval | www.dipublique.chaire.ulaval.ca. | chaire-dipublique.djosse.fr. |
| ORACLE | go.bigmachines.com. | mkto-d0103.com. |
| Universidade Federal do Rio de Janeiro | mx3.limc.ufrj.br. | tabulae.net. |
| Universitat Politècnica de Catalunya BarcelonaTech | innotex.upc.edu. | innotexcenter.com. |
| CZECH ATHLETIC ASSOCIATION | kviz.atletika.cz. | csatletika.brandzfriendz.net |
| IdecNet SA | arnedonet.idecnet.com. | www.arnedonet.com. |
| Chicco Italia | cataloghi.chicco.com. | drake.ipaperitaly.com. |
| Insureon | go.insureon.com. | mkto-sj080250.com. |
| UC Santa Cruz | www.soar.ucsc.edu. | www.soarucsc.org. |
| Launch Medical | track.getmyphoenix.com. | morthelorpowasure.com. |
| Artsana Group | medicalcenter.artsana.it. | drake.ipaperitaly.com. |
| Weber Shandwick | ahub-qa.webershandwick.com | ahub-qa.wsbinfra.net |
| Orderfox Schweiz AG | api.orderfox.com | orderfox-api.orderfox-prod.com |
| Seoul National University of Science & Technology | asrri.seoultech.ac.kr | asrri.kr |
| Nexstar Media Inc. | blogs.wane.com | lb.linapps.io. |
| Atlas.cz | *.dev1.atlas.cz | webdev1.atlasdev.cz |
| SPORT | bstories.sport.es | bstories.sport.es.s.lb.appnbs.cloud |
| mydays | chat.mydays.de | mydays-chatwebservice-first.com |
| Wine Align | cru.winealign.com | atmr.ch. |
| GovAssist, LLC | go.visaexpress.us.com | knomomain-enquate.com. |
| JFK School of Law at National University | go.jfku.edu | mkto-ab040129.com |
| Savvy + Co. Real Estate | img.savvyandcompany.com | imb.ggwz.us |
| KPN | imode.planet.nl | www.myimode.nl |
| The George Washington University | m.digitalcommunity.gwu.edu | web-01.influence-technologies.com. |
| Ashford Luxury Watches | mail.ashford.com | mail1.hswwco.net |
| Unknown | mail.invitinginbox.com | inb.myvinmail.com |
| Unknown | membersarea.13premiumbeardcare.com | mf.invanto.io. |
| Orange Belgium | mtv.mobistar.be | mobistar.telemak.mobi |
| Tiscali Italia | nemexia.giochionline.tiscali.it | www.nemexia.it |
| IS4U, s.r.o. | roger.is4u.cz | time-tables.com |
| Roof Maxx | smbtrack.roofmaxx.com | amerontenquiry.com |
| Step2 | steppingstones.step2.com | atmr.ch. |
| PACESETTER SPORTS | store.pacesettersports.com | pacesettersports.store.erunsolutions.com |
| Eskişehir Osmangazi University | ukmk11.ogu.edu.tr | ukmk.teknokongre.com |
| StreetSignals | wealth.streetsignals.com | drobvided-metylight.com |
| MicroSmallCap | wealth.microsmallcap.com | drobvided-metylight.com |
| D-BOX Technologies | www1.d-box.com | livetheaction.ws |
| University of Alicante | www.master-guitar-alicante.ua.es | www.master-guitar-alicante.com |
| Unknown | www.crownchristianuniversity.com | cr.invanto.io |
All of the active infrastructure of this gang is automatically tracked and listed by our Guardian products, much of it unique to our service.
The IPs that the CNAMEs point to are hosted in various places; but using our ContactDB service to normalize the IPs by Abuse desk; the top 10 networks are:
- 215 [email protected]
- 56 [email protected]
- 47 [email protected]
- 41 [email protected]
- 39 [email protected]
- 37 [email protected]
- 36 [email protected]
- 35 [email protected]
- 31 [email protected]
- 29 [email protected]
Most of the domains registered for the purposes of the CNAME takeover used NameCheap, WildWestDomains and two used Dynamic IP name services ddns.net and dyndns.org.
It should also be noted that many of the SPF records published on these CNAMEs are pointed to domains hosted by Cloudflare (healtheweb.co.uk) along with several eu.org sub-domains in which Cloudflare is also used for name services.
Let this post serve as a reminder to check your DNS for dead CNAMEs that should be removed, otherwise your domain could end up being used in this way!
Lastly, if you are receiving abuse but you don’t have the time or patience to report it, then we want to help! You can use our free Global Reporting service; you send us the abuse report which we will validate to make sure all the basic requirements are met and then send it to the appropriate abuse desk on your behalf.
We can also do the same with user feedback from your email system; if you have a “Report Spam” function, then you can report this to us and we will report as a Feedback Loop to the originating mail system, provided they abide by RFC9477 and we know they’re trustworthy.
You can find out more about both of these services on our website.
