Cybersecurity experts are lately highlighting the degree to which threat actors have gone in abusing security protocols. They are devising newer, sophisticated techniques to bypass the protective layers to spoof sender email addresses to launch targeted malspam campaigns.
On one side, the adoption of SPF, DKIM, and DMARC is on the rise, especially after Google, Yahoo, Microsoft, and several compliance bodies have made these protocols mandatory. However, on the other side, bad actors are exploiting old, neglected domains that do have SPF and DMARC to bypass security checks that rely on domain age to assess spam potential.
How abandoned domains bypass email security?
Muddling Meerkat and other cyberactor groups are abusing old, top-level domains that have not been hosting any content for almost two decades. The reason why these domains are being targeted is that they lack most DNS records, including SPF and DMARC records. These domains are also short and in reputable TLDs.
There is another campaign, active since December 2022, that sends bulk emails with QR codes attached. Scanning the QR code redirects victims to a phishing website where they are requested to enter their identification and card details, and then inadvertently make a payment to the threat actor’s account.
These kinds of cyberattacks are not just aimed at smaller companies, but also popular brands like Amazon, Mastercard, and SMBC to essentially redirect victims to faux login pages using traffic distribution systems (TDSes). All this is done to steal credentials or sensitive data.
An automatic SPF flattening tool helps prevent email delivery issues by simplifying SPF records, reducing DNS lookups, and limiting the ability of malicious domains to bypass email security.
Domain abuse is getting cheaper and easier
Cyber actors can now abuse generic top-level domains like .xyz, .click, or .top for as little as a few dollars. These cheap domains are like their new playground to launch sophisticated phishing campaigns, spin up lookalike websites, or send spoofed emails, without a big team and budget.
Now add to that tools like PhishWP, a malicious WordPress plugin that lets attackers create fake payment pages. These pages look almost identical to real checkout pages, but they are designed to steal card details from users.
And where does all the stolen data go? These days, attackers are using Telegram as their drop-off point. Instead of setting up complex servers or infrastructure, they simply use Telegram channels or bots to collect sensitive data like login credentials and payment information. It’s fast, encrypted, and hard to trace.
Put everything together — cheap domains, plug-and-play scam tools, and secure places to receive stolen data — and phishing has become easier and cheaper to carry out than ever before.
How can domain owners and organizations prevent domain abuse?
As cyber threats get smarter and rules get tighter, setting up DMARC is no longer optional. It’s the starting point if you want your emails to be trusted, delivered properly, and protected from abuse. Here’s why it matters:
- DMARC, along with SPF and DKIM, has become a must-have in many global security and compliance standards.
- Big names like Google, Yahoo, Microsoft, and Apple now expect bulk email senders to use proper email authentication.
- If your domain isn’t protected with DMARC, you risk financial loss, brand damage, security threats, and even compliance issues.
- With AI-powered phishing attacks rising fast, having DMARC in place gives you an extra layer of defense.
- Even though regulations like PCI DSS 4.0 and DORA don’t specifically ask for DMARC, using it helps you stay on the right track with their security goals.
Talk to our team to get started with email authentication protocols so that you comply with regulations and stay shielded from domain abuses.
