Unit 42, GoDaddy Shutter Subdomains Selling Miracles


Palo Alto Networks and GoDaddy recently collaborated to take down some 15,000 subdomains promoting weight-loss products and other goods promising miraculous results. The websites sought to persuade millions of consumers into buying products backed by bogus endorsements purporting to be from celebrities including Stephen Hawking, Jennifer Lopez and Gwen Stefani.

The compromised sites were uncovered in an investigation by Palo Alto Networks Unit 42 researcher Jeff White, who examined a massive campaign in which affiliate marketers used spam to push victims to sites where they were sometimes tricked into unknowingly signing up for expensive subscriptions for goods. He discovered the network after noticing striking visual similarities in templates used to build websites selling seemingly unrelated goods — from diet pills and brain boosters to CBD oil.

GoDaddy reviewed Unit 42’s findings and discovered the sites had been pointing to subdomains belonging to several hundred customers whose accounts had been compromised using legitimate credentials. The attackers most likely accessed those credentials through phishing scams that tricked customers into releasing passwords and also through credential stuffing, which is when hackers exploit the use of the same passwords to secure multiple accounts by taking login data stolen from one site and using it to access another.

GoDaddy shut down the compromised subdomains in March, prompting affected customers to reset their passwords and notified them that a security action had been taken.

Unit 42 has published a detailed report on the investigation, in which White describes how he discovered the network as part of a two-year deep dive into the world of affiliate marketing, how he mapped out the network’s infrastructure and uncovered the malicious subdomains that he reported to GoDaddy. It describes how victims are targeted with  spam containing shortened links that direct them to websites on compromised accounts that forward them to sites offering products promising miraculous results.

Unit 42 recommends that consumers be on guard for similar online scams, particularly when considering purchasing goods promoted through email. Users should research all products marketed via email or online ads to determine if it they legitimate. The products highlighted in White’s research report all had multiple complaints that were easy to find online. A good rule of thumb is the old adage “if it sounds too good to be true, it probably is.”

To prevent accounts from being compromised, Palo Alto Networks recommends securing all accounts with unique, strong passwords and implementing two-factor authentication whenever it is offered.