Home Articles Why GoDaddy Shut Down 15000 Subdomains

Why GoDaddy Shut Down 15000 Subdomains


Recently, GoDaddy shut down over 15000 subdomains used for affiliate marketing spam campaigns. Read on to know more about it…

Recently, GoDaddy shut down over 15000 subdomains used for affiliate marketing spam campaigns. Most of the products promoted through these website were brain supplements, weight loss pills, CBD oils, and other dietary products. These promoted products carried fake endorsements from celebrities such as Stephen Hawking, Jennifer Lopez, Gwen Stefani, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, among others.

What is worrying is that the scammers carried out several affiliate marketing spam campaigns leveraging GoDaddy subdomains and fake celebrity endorsements.

Jeff White, a security researcher from Palo Alto Networks, uncovered these spam campaigns two years ago. Since then, White has been collecting spam emails and investigating into the scammers’ operations. GoDaddy was not the party who discovered this massive network of shady domains, but Palo Alto Networks security researcher Jeff White. Jeff first encountered this gang’s shady domains nearly two years ago, when he also started an investigation into their operations.

Ever since then, the researcher has been collecting spam email that the scammers have been sending out in droves each they, and indexing the subdomain URLs promoting these fake products. Earlier this year, White shared his findings with GoDaddy, where most of these domains were being hosted.

Earlier this year, security researcher Jeff White, notified GoDaddy’s Threat Intelligence Team about the subdomains. As a result, GoDaddy took down over 15000 subdomains, reset passwords for compromised accounts and notified the potentially impacted GoDaddy customers.

“After writing some new scripts to automate and collect shadow domains for these campaigns and working with GoDaddy’s abuse teams, we were able to successfully identify and shut down over 15,000 subdomains being used across these campaigns,” White said in a blog.

Modus Operandi
The scammers sent phishing scam emails to targets promoting a product. For instance, one of the campaigns stated ‘Stephen Hawking Predicts, ‘This Pill Will Change Humanity’, while another campaign claimed ‘Gwen Stefani Shares Blake Shelton’s Secret To Rapid Weight Loss’.

According to GoDaddy’s investigations, these scammers gained access to GoDaddy customers’ accounts through phishing attacks or credential stuffing attacks. After gaining access to customers’ GoDaddy accounts, these scammers created subdomains for the customers’ legitimate websites. Then they used these subdomains to host product promo pages and carry out spam campaigns. The crucial apsect in the investigation pointed out that the scammers have compromised almost hundreds of GoDaddy accounts to carry out their spam campaigns.

GoDaddy revealed that the number of hacked accounts at “several hundred.”. After taking down the 15000 subdomains hosted on its servers last month, GoDaddy also reset passwords for compromised accounts and notified impacted users, so they can evaluate if the intruders had left other malware inside compromised accounts.

The traffic believed to have landed on the scammy subdomains is believed to be in the range of millions of hits. White also published an extensive report today documenting his two-year investigation.


Please enter your comment!
Please enter your name here

44 − 40 =