GoDaddy Takes Down 15,000 Spammy ‘Snake Oil’ Subdomains

GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains

GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains

You’ve seen the ads in your email or online: Celebrities supposedly hawking miracle weight-loss cures or galaxy brain supplements. They’re endemic to the web, as deeply ingrained as hashtags and puppies. But even though plenty of people fall for them , no one ever actually does anything about it. Of all the security threats online, spam ranks fairly low on the priority list.

Which is why it’s surprising, and greet, that GoDaddy and security firm Palo Alto Networks’ Unit 42 have taken down 15,000 subdomains dedicated to selling those phony pharmaceuticals under false pretense. The two-year investigation that led them there offers some useful insights into what builds these campaigns tick.


The details vary somewhat from one spam scam to the next, but the campaign that Palo Alto Networks researcher Jeff White tracked follows the same basic steps. It starts with an email, one that claims Stephen Hawking or Gwen Stefani or the Shark Tank crew swears by a dodgy medical product. The URL is shortened, so you can’t find where it leads. After a got a couple of redirects, you land on a domain that looks like TMZ, E! Online, or some other legitimate site. Every single clickable part on that page–even the ones that seem benign, like a Facebook like or Contact Us form–leads to another page that tries to sell you fake drugs.

Palo Alto Networks

If they’re successful, and you give them your credit card number, two things happen. First, the affiliate marketing spammer who likely generated the subdomain gets a cut of the sale. And whoever’s peddling the bogus goods might send you a free sample–but they &# x27; ll also start charging you as much as $ 100 a month from then on, with ongoing subscription fees buried deep in the terms of service.

“When people go to cancel, they realize that they can’t, ” says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. “A lot of hours when they try to contact the company , no one gets back to them. No one &# x27; s ever going to get back to them, because that’s how these companies make their money, off of these refills.”

The only recourse, Miller-Osborn says, is going to your credit card company and hoping they’ll cancel the charges.

Account Takeover

Jeff White has never fallen for one of these scams, but like many internet users, they caught his eye several years ago. He has tracked them diligently since 2017, when he first noticed that many of the sites appeared to share a common template. “I began noticing slight differences every month until something clicked, and what once was background noise now was something of interest, ” White writes in a blog post detailing the investigation, which covered hundreds of spam sites.

On even closer inspection, he found that many of the domains being used as redirects in the spam campaign seemed to have started out as legitimate. Why, after all, would a spammer set up and to shill fake supplements? After some sleuthing, White detected the truth: Affiliate spammers had compromised the accounts of hundreds of GoDaddy customers, likely through a combination of a phishing campaign and credential stuffing, two common methods of obtaining or guessing people’s log-in information.

Once they had access to those accounts, the hackers would leave the main website alone but surreptitiously create hundreds or even thousands of subdomains–like They would then use these so-called shadow domains to send spam emails or game the search-engine-optimization system, unbeknownst to the sites &# x27; owners.

“GoDaddy recommends using multifactor authentication and different passwords on different services to avoid these types of attacks from being successful, ” the company said in a statement. “GoDaddy takes the security of our network and our customers’ accounts very seriously, and we’ll continue to collaborate with the security community to identify and resolve these types of attacks.”

Once White had identified recurring patterns in the campaign, the Unit 42 squad wrote scripts to automate the identification of the shadow domains. He identified 15,000 illicit subdomains in all; GoDaddy shut them down in March.

Making a Dent

White isn’t the first person to look under the hood of these spam campaigns. Security reporter Brian Krebs took a close look at two major spam pharmacies in his 2014 book Spam Nation . And even the Today Show analyse a specific malicious ad that showed a fake Savannah Guthrie endorsement. But actually dismantling these networks doesn’t happen as often as you’d think.

In part that’s because, candidly, it’s not worth it. White scratched an itching, but it’s not one that most researchers–or law enforcement agencies–share. “The unfortunate truth is, they’ll probably be back after this, ” Miller-Osborn says. “It’s not the easiest thing to prosecute. It doesn’t necessarily have the biggest penalty if you did prosecute it. There’s not a ton of impetus on either side, going after them or motivating not to do it.”

But perhaps this takedown makes an argument that there should be more of an effort to dismantle these campaigns. The dozens of abbreviated connects White saw were clicked an average of 273 days each. Extrapolate that out to 15,000 subdomains, and you wind up with millions of potential victims.

Unit 42 has no insight into how many people actually “ve fallen in love with” the scam, and the number of credit card numbers that wound up in the hands of bad-faith drug merchants is likely much smaller. “There’s not like a 100 percentage conversion rate, ” says Crane Hassold, senior director of threat research at security firm Agari. “You’ll have a population of potential victims who click on a connect and go to a website, but there’s a large percentage of those people who don’t end up getting compromised.”

Still, there’s a reason you see this particular scam everywhere: It’s profitable. Even if torpedoing 15,000 domains won’t set much of a dent in one of the most permeating scourges of the web–as Miller-Osborn fully acknowledges–it at least glistens a light on the problem. You can’t clear all the rats out of the sewer, but you can at least remind them that you’re there.

Read more:

GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains
GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains
GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains
GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains
GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains

GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains

GoDaddy Takes Down 15,000 Spammy 'Snake Oil' Subdomains

Leave a Reply

Your email address will not be published. Required fields are marked *