GoDaddy shuts down 15,000 subdomains
Researchers at the security firm Palo Alto Networks worked with domain registrar and web hosting firm GoDaddy to shut down 15,000 subdomains pitching "snake oil" products and other scams. The takedowns are linked to affiliate marketing campaigns peddling everything from weight-loss solutions and brain-enhancement pills. Those behind the spam attacks used a technique called domain-shadowing, and they were able to compromise thousands of servers and abuse hundreds of domains and website admin account credentials, according to researchers. Spam attacks associated with these subdomain takeovers date back to 2017. Links in messages pointed to subdomains of websites, which unknowingly hosted the product pitches that were backed by fake endorsements.
White investigated and traced the links in the spam messages to a URL redirection chain that eventually dumped users on the fake products' landing pages. The redirections, researchers discovered, were leveraging compromised servers. To help obfuscate the sketchy behavior, spammer also used a Caesar cipher, a simple substitution code, and a hypertext preprocessor ( PHP ) file for handling the redirections. The Caesar cipher injection is using .php files on compromised sites to drive traffic to scam pages. These include fake tech support and fake sites purporting to be news sites, reporting on the incredible effects of weight-loss and intelligence pills.
Next, researchers determined that the redirection sites and those that hosted the spam pitches were using legitimate registrant accounts in a technique called domain-shadowing. That's when hackers use stolen domain registrant credentials to create massive lists of subdomains, which are used in quickly rotating fashion to either redirect victims to attack sites, or to serve as hosts for malicious payloads. This technique is considered an evolution of fast-flux, where malicious elements are moved from place to place rapidly, in an effort to stay ahead of detection. It would seem likely that the people behind the attack were going about it in an automated fashion, logging into these legitimate domain accounts and using a dictionary of simple English words to create subdomains pointing to their redirector.
This isn't the first time GoDaddy has had to deal domain-shadowing used to link to malicious activity. Over the years the approach has been used to distribute everything from the Angler Exploit Kit to the RIG Exploit Kit. While in this particular case, the payload wasn't malware, researchers are worried about the malicious nature of those behind the spam campaigns. There are a lot of players in the affiliate marketing world, from the affiliates to the merchants and all of the networks in-between.