Palo Alto Networks’ Unit 42 threat intelligence team announced on April 25 that it worked together with GoDaddy to take down 15,000 subdomains that were engaged in scam-related affiliate marketing activities.
The impacted GoDaddy subdomains were not regular customers doing unauthorized things. Rather, the GoDaddy domains were customer accounts that had been breached and then modified to handle the scam affiliate marketing traffic, which included weight-loss products, among other goods. According to Unit 42’s research, the GoDaddy subdomains were likely breached via credential stuffing attacks. In a credential stuffing attack, passwords that have been stolen in one data breach are then used by an attacker on other sites where the victims had reused the same passwords.
“These were GoDaddy accounts for regular customers,” Jeff White, principal threat researcher for Unit 42 at Palo Alto Networks, told eWEEK. “Several hundred customers were impacted.”
A subdomain is a variation on an internet domain name, where a prefix is added, which can then be directed to a specific IP address location. For example, security.eweek.com is a subdomain that just refers back to eWEEK.com. A GoDaddy support page notes that users can create up to 100 subdomains per domain name.
White explained that with the compromised GoDaddy accounts, the attackers did not modify the CNAME (Canonical Name Record or Alias Record) with the Domain Name System (DNS) panel. DNS is the system that maps IP addresses to domain names, and there are multiple types of DNS records that are used to help direct traffic. The “A” records are often the primary records that are used to map an IP address to a name.
“These were A records that mapped to the IP for the GoDaddy redirector service, which would then subsequently forward a user to the affiliate landing page,” White said.
What the Unit 42 research effort found was that the attackers were using compromised sites as part of a larger scam involving affiliate marketing tactics. In the scam, users are tricked into clicking a link, which is then passed through several layers of redirection before hitting the final landing page. On the landing page, users are tricked into signing up for subscriptions and other unwanted items.
The precise number of individuals who clicked on the various affiliate fraud spam campaigns is not known, though Unit 42’s research estimates that on average each link it found was clicked 273 times. Across the 15,000 subdomains involved, that translates into potentially millions of impacted users.
Takedown
After White and the Unit 42 research team made GoDaddy aware of the situation, GoDaddy worked to take down the 15,000 subdomains.
“We did not engage any law enforcement, nor did GoDaddy,” he said. “GoDaddy was able to take action due to the unauthorized access and usage of their customer accounts.”
The various affiliate marketing campaigns for weight-loss and other products that White tracked are not a rare phenomenon on the modern internet. White said there are several things that regular end users can do when they think they have spotted an online scam.
“Reporting to the Better Business Bureau is a start, and then once enough complaints are lodged, they perform a formal investigation,” he said.
The reality is that users have to do something, whether it’s clicking a link or filling in a form, for the scams to work. White noted that, in general, all of these scams require the victims to go through multiple steps, including entering payment information.
“We recommend users research any products marketed via spam or online ads to determine if it is legitimate,” he said. “A good rule of thumb is the old if it sounds too good to be true, it probably is.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.