You’ve seen the ads in your email or online: Celebrities supposedly hawking miracle weight loss cures or galaxy brain supplements. They’re at this point endemic to the web, as deeply ingrained as hashtags and puppies. But even though plenty of people fall for them, no one ever really does anything about it. Of all the security threats online, spam ranks pretty low on the priority list.
Which is why it’s surprising, and welcome, that GoDaddy and security firm Palo Alto Networks’ Unit 42 have taken down 15,000 subdomains dedicated to selling those phony pharmaceuticals under false pretenses. And the two-year investigation that led them there offers some useful insights into what makes these campaigns tick.
The details vary slightly from one spam scam to the next, but the campaign that Palo Alto Networks researcher Jeff White tracked follows the same basic steps. It starts with an email, one that claims Stephen Hawking or Gwen Stefani or the Shark Tank crew swears by a dodgy medical product. The URL is shortened, so you can’t see where it leads. After a couple of redirects, you land on a domain that looks like TMZ, or E! Online, or some other legitimate site. Every single clickable element on that page—even the ones that look benign, like a Facebook like or “contact us” form—leads to another page that tries to sell you fake drugs.
If they’re successful, and you give them your credit card number, two things happen. First, the affiliate marketing spammer who likely created the subdomain gets a cut of the sale. And whoever’s peddling the bogus goods might send you a free sample—but they’ll also start charging you as much as $100 a month from then on, with ongoing subscription fees buried deep in the terms of service.
“When people go to cancel, they realize that they can’t,” says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. “A lot of times when they try to contact the company, no one gets back to them. No one’s ever going to get back to them, because that’s how these companies make their money, off of these refills.”
The only recourse, Miller-Osborn says, is going to your credit card company and hoping they’ll cancel out the charges.
Jeff White has never fallen for one of these scams, but like many internet users they caught his eye several years ago. He has tracked them diligently since 2017, when he first noticed that many of the sites appeared to share a common template. “I began noticing slight variations every month until something clicked and what once was background noise now was something of interest,” White writes in a blog post detailing the investigation, which covered hundreds of different spam sites.
On even closer inspection, he found that many of the domains being used as redirects in the spam campaign seemed to have started out as legitimate. Why, after all, would a spammer set up “bigislandroofing.com” and “justinbieberfannews.com” to shill fake supplements? After some sleuthing, White discovered the truth: Affiliate spammers had compromised the accounts of hundreds of GoDaddy customers, likely through a combination of a phishing campaign and credential stuffing, two common methods of obtaining or guessing people’s log-in information.
Once they had access to those accounts, the hackers would leave the main website alone, but surreptitiously create hundreds or even thousands of subdomains—like “glad.justinbieberfannews.com.” They would then use these so-called shadow domains to send spam emails or game the search engine optimization system, unbeknownst to their owners.
“GoDaddy recommends using multifactor authentication and different passwords on different services to avoid these types of attacks from being successful,” the company said in a statement. “GoDaddy takes the security of our network and our customers’ accounts very seriously and we’ll continue to collaborate with the security community to identify and resolve these types of attacks.”
Once White had identified recurring patterns in the campaign, the Unit 42 team wrote scripts to automate the identification of the shadow domains. He identified 15,000 illicit subdomains in all; GoDaddy shut them down in March.
Making a Dent
White isn’t the first person to look under the hood of these spam campaigns. Security reporter Brian Krebs took a close look at two major spam pharmacies in his 2014 book Spam Nation. And even the Today Show investigated a specific malicious ad that showed a fake Savannah Guthrie endorsement. But actually dismantling these networks doesn’t happen as often as you’d think.
In part that’s because, frankly, it’s not worth it. White scratched an itch, but it’s not one that most researchers—or law enforcement agencies—share. “The unfortunate truth is they’ll probably be back after this,” says Miller-Osborn. “It’s not the easiest thing to prosecute. It doesn’t necessarily have the biggest penalty if you did prosecute it. There’s not a ton of impetus on either side, going after them or motivation not to do it.”
But maybe this takedown makes an argument that there should be more of an effort to dismantle these campaigns. The dozens of shortened links White found were clicked an average of 273 times each. Extrapolate that out to 15,000 subdomains, and you wind up with millions of potential victims.
Unit 42 has no insight into how many people actually fell for the scam, and the actual number of credit cards that wound up in the hands of bad-faith drug merchants is likely much smaller. “There’s not like a 100 percent conversion rate,” says Crane Hassold, senior director of threat research at security firm Agari. “You’ll have a population of potential victims who click on a link and go to a website, but there’s a large percentage of those people who don’t end up getting compromised.”
Still, there’s a reason you see this particular scam everywhere: It’s profitable. Even if torpedoing 15,000 domains won’t put much of a dent in one of the most pervasive scourges of the web—as Miller-Osborn fully acknowledges—it at least shines a light on the problem. You can’t clear all the rats out of the sewer, but you can at least remind them that you’re there.