Big spamming op sees 8,000+ domains of trusted brands spoofed

Feb 27 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s like an educational #cybertruck to protect you from cybercrime ????️

Today’s hottest cybersecurity news stories:

  • ⚠️ Big spamming op sees 8,000+ domains of trusted brands spoofed ????

  • ????‍???? IDAT loader uses steganogrophy to deploy Remcos RAT. Watch out! ????

  • ???? Rocket man strikes again! N. Korean hackers target devs w/ packages ????

Domain thing to remember is… ????????????


???????? SubdoMailing Saga Unveiled! ????????

In a shocking revelation, Guardio Labs has uncovered a massive spam operation dubbed SubdoMailing, orchestrated by a threat actor ominously known as ResurrecAds! ????????

This sophisticated scheme involves hijacking over 8,000 domains and 13,000 subdomains belonging to reputable brands like eBay, McAfee, and UNICEF. ????️????

But wait, there’s more! ResurrecAds isn’t playing by the rules. They’ve crafted a devious distribution architecture, slipping past security measures with ease and dodging text-based spam filters like a pro! ????️‍♂️????

And it gets even trickier – these malicious emails are cleverly disguised as images, bypassing standard security blocks and luring unsuspecting victims into a maze of redirects, leading to malicious content tailored for maximum profit! ????????

But fear not! Guardio isn’t backing down. With their SubdoMailing Checker, domain administrators and site owners can now detect signs of compromise and safeguard against this nefarious campaign. ????️????

The battle against cyber threats rages on, but with vigilance and determination, we’ll keep our digital world safe from harm! ????????


Signup for Free


Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Who dat? IDAT ????

????️ Ukrainian Entities in Finland Targeted by Malicious Campaign! ????

Threat actors identified as UAC-0184, tracked by CERT-UA, unleash a devious assault using the IDAT Loader to spread the Remcos RAT. ????????

Morphisec researcher Michael Dereviashkin sheds light on the attack’s sophisticated use of steganography, a well-known but formidable technique for defence evasion. ????????️‍♂️

The IDAT Loader, often associated with the Hijack Loader family, serves as a conduit for various payloads, including DanaBot and RedLine Stealer. ????????

This onslaught aligns with a phishing campaign unveiled by CERT-UA, employing war-themed lures to initiate an infection chain leading to Remcos RAT deployment via embedded steganographic PNG files. ????????

???? FYI: Steganography is the technique of hiding data within an ordinary, nonsecret file or message to avoid detection; the hidden data is then extracted at its destination. ????

Meanwhile, defence forces face another threat as UAC-0149 leverages the Signal app to distribute booby-trapped Excel documents, facilitating the execution of COOKBOX, a PowerShell-based malware. ????????

Adding to the turmoil, PikaBot malware reemerges with a revamped variant boasting new unpacking methods and heightened obfuscation, signalling active development efforts. ????????

As cyber adversaries evolve their tactics, vigilance and robust defences remain paramount in safeguarding against malicious incursions. ????????️

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Time to rethink a Korea in dev? ????

???? North Korean Actors Tied to Malicious npm Packages! ????

Phylum’s latest findings unveil a sinister link between fake npm packages and North Korean state-sponsored threat actors. ????️‍♂️????

Dubbed execution-time-async, data-time-utils, login-time-utils, mongodb-connection-utils, and mongodb-execution-utils, these packages pose as legitimate Node.js utilities, infiltrating developers’ systems with malicious intent. ⚠️????

In a clever ploy, the adversaries concealed nefarious code within a test file, triggering the installation of cryptocurrency and credential stealers upon execution. ????????

Further investigation revealed telltale signs pointing to a deleted GitHub profile, leading to a repository housing Python scripts utilised to fetch additional payloads and steal browser credentials. ????????️

???? Connections to North Korean Actors Uncovered! ????

The discovery of similar JavaScript-based malware, including BeaverTail, suggests ties to known North Korean threat campaigns, like Contagious Interview. ????????

Attempts to obfuscate identities through fake job postings and repository names underscore the adversaries’ sophisticated tactics. ????????

As developers remain prime targets, heightened awareness and vigilance are essential to combating these insidious attacks. ????️????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles