There’s a new, ultra-sneaky type of phishing attack on the rise. These attacks are harder than most to spot, and we’ve seen an absolutely massive spike in recent weeks, with as many as five million of these fraudulent emails reaching unsuspecting email inboxes every single day.
This new attack is called SubdoMailing. In this week’s post we’ll explain what these attacks are, how they work, why they’re so hard to spot, and as always how to keep your business safe.
What Is SubdoMailing?
On one level SubdoMailing is simple: these attacks work in the same way as your everyday run of the mill phishing attacks. You get an email that urges you to click a button or link and take some action. The email looks like it’s from a brand you trust, like your bank or a popular business vendor (like Microsoft or DocuSign). But it’s not: it’s really from scammers who set up a lookalike site in an effort to steal your information.
You click the link and attempt to log into the service, and that’s it — now the bad guys have your username and password for whatever service you thought you were logging into.
So far, that all sounds like regular phishing. What makes SubdoMailing so much worse is how they’re executing the attack.
With regular phishing, if you look closely at the URL, something will be off. The brand name will be misspelled, or something else will be super sketchy looking (as long as you know what to look for).
But with SubdoMailing, the URL might look 100% legit. It’s seriously scary stuff.
How SubdoMailing Attacks Work
So how in the world can the bad guys “steal” a link that actually has something like google.com or microsoft.com right there in the URL? Well, it’s a little technical, but bear with us — it’s worth understanding.
The bad guys are exploiting something called subdomains (hence the Subdo in SubdoMailing). Specifically, subdomains that brands have built but aren’t using anymore.
What are subdomains? It’s the stuff that comes before the familiar brand name. For example:
- mail.google.com
- sheets.google.com
- meet.google.com
Mail, sheets, and meet are all subdomains. Brands use them to segment their main site into separate sub-areas.
The trouble is, brands also sometimes use subdomains in advertising, intending them to redirect to some other site. Say you get a marketing email from your favorite clothing retailer. They might set up a subdomain like sale.clothesrus.com. But there isn’t an actual webpage at that subdomain. Instead, it redirects you to wherever the brand wants you to go (even to a completely separate website).
This is all normal, legit, regular web stuff.
But here’s the problem: sometimes a brand discontinues using a subdomain. They might also stop paying for the separate website (domain) they were redirecting you to, which eventually goes back up for sale.
The bad guys look for these exact scenarios, then buy up the domain — and turn it into a scam website.
The actual link in the scam email is a legit link to a real website (one that the brand may not realize is still usable). It looks legit to you — and to your spam filter — because it is legit. But then once you click and get redirected, you’re in danger of getting phished.
What You Can Do
These attacks are unusually hard to spot, but there are still steps you can take to stay safe:
- Stay wary of any emails that seem questionable in any way. Is this something that brand regularly emails about, or are they asking you to do something they don’t normally? Does the branding or the color scheme or the quality of the writing seem off? Then it probably is.
- With any email alerting you to some crisis, don’t click. Instead, manually go to the brand’s site (by typing it into your browser) and log in. If there’s a real crisis, the brand will certainly tell you there.
- Be especially careful if the link you click in an email redirects you to a different website entirely. This can still sometimes be legit, but if it’s asking for anything sensitive, it probably isn’t legit.
Most important is setting up strong security software and building a robust cybersecurity defense. If you need help with any of this, we’re here for you. Reach out anytime.