Which is why it’s surprising, and welcome, that GoDaddy and security firm Palo Alto Networks’ Unit 42 have taken down 15,000 subdomains dedicated to selling those phony pharmaceuticals under false pretenses. The details vary slightly from one spam scam to the next, but the campaign that Palo Alto Networks researcher Jeff White tracked follows the same basic steps. “I began noticing slight variations every month until something clicked and what once was background noise now was something of interest,” White writes in a blog post detailing the investigation, which covered hundreds of different spam sites. On even closer inspection, he found that many of the domains being used as redirects in the spam campaign seemed to have started out as legitimate. After some sleuthing, White discovered the truth: Affiliate spammers had compromised the accounts of hundreds of GoDaddy customers, likely through a combination of a phishing campaign and credential stuffing, two common methods of obtaining or guessing people’s log-in information.