GoDaddy shuts down over 15000 subdomains used for affiliate marketing spam campaigns

• Most of the products promoted via these scams were brain supplements, weight loss pills, CBD oils, and other dietary products.
• These promoted products carried fake endorsements from celebrities such as Stephen Hawking, Jennifer Lopez, Gwen Stefani, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, among others.

What is the issue - Scammers carried out several affiliate marketing spam campaigns leveraging GoDaddy subdomains and fake celebrity endorsements.

What products were promoted - Most of the products promoted via these scams were brain supplements, weight loss pills, CBD oils, and other dietary products.

The big picture

Jeff White, a security researcher from Palo Alto Networks, uncovered these spam campaigns two years ago. Since then, White has been collecting spam emails and investigating into the scammers' operations.

• These scammers will send phishing scam emails to targets promoting a product.
• The phishing emails will include a link, which upon clicking redirects victims to a GoDaddy subdomain hosted on legitimate sites.
• The promoted products carry fake endorsements from celebrities such as Stephen Hawking, Jennifer Lopez, Gwen Stefani, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, among others.
• For instance, one of the campaigns stated ‘Stephen Hawking Predicts, ‘This Pill Will Change Humanity’, while another campaign claimed ‘Gwen Stefani Shares Blake Shelton’s Secret To Rapid Weight Loss’.

How does this work?

• According to GoDaddy’s investigations, these scammers gain access to GoDaddy customers’ accounts via phishing attacks or credential stuffing attacks.
• After gaining access to customers’ GoDaddy accounts, these scammers create subdomains for the customers’ legitimate sites.
• They then use these subdomains to host product promo pages and carry out spam campaigns.

Worth noting - These scammers have compromised almost hundreds of GoDaddy accounts to carry out their spam campaigns.

The bottom line

Earlier this year, security researcher Jeff White, notified GoDaddy’s Threat Intelligence Team about the subdomains. As a result, GoDaddy took down over 15000 subdomains, reset passwords for compromised accounts and notified the potentially impacted GoDaddy customers.

“After writing some new scripts to automate and collect shadow domains for these campaigns and working with GoDaddy’s abuse teams, we were able to successfully identify and shut down over 15,000 subdomains being used across these campaigns,” White said in a blog.