* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/) * [Threat Research](https://origin-researchcenter.paloaltonetworks.com/blog/category/threat-research/) * Unit 42, GoDaddy Shutter ... # Unit 42, GoDaddy Shutter Subdomains Selling Miracles [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F04%2Funit-42-godaddy-shutter-subdomains-selling-miracles%2F) [](https://twitter.com/share?text=Unit+42%2C+GoDaddy+Shutter+Subdomains+Selling+Miracles&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F04%2Funit-42-godaddy-shutter-subdomains-selling-miracles%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2019%2F04%2Funit-42-godaddy-shutter-subdomains-selling-miracles%2F&title=Unit+42%2C+GoDaddy+Shutter+Subdomains+Selling+Miracles&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2019/04/unit-42-godaddy-shutter-subdomains-selling-miracles/&ts=markdown) \[\](mailto:?subject=Unit 42, GoDaddy Shutter Subdomains Selling Miracles) Link copied By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?ts=markdown "Posts by Unit 42") Apr 25, 2019 3 minutes [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown) [GoDaddy](https://www.paloaltonetworks.com/blog/tag/godaddy/?ts=markdown) [Unit 42](https://www.paloaltonetworks.com/blog/tag/unit-42/?ts=markdown) ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/04/Screen-Shot-2019-04-24-at-1.26.26-PM-500x374.png)Palo Alto Networks and GoDaddy recently collaborated to take down some 15,000 subdomains promoting weight-loss products and other goods promising miraculous results. The websites sought to persuade millions of consumers into buying products backed by bogus endorsements purporting to be from celebrities including Stephen Hawking, Jennifer Lopez and Gwen Stefani. The compromised sites were uncovered in an investigation by Palo Alto Networks Unit 42 researcher Jeff White, who examined a massive campaign in which affiliate marketers used spam to push victims to sites where they were sometimes tricked into unknowingly signing up for expensive subscriptions for goods. He discovered the network after noticing striking visual similarities in templates used to build websites selling seemingly unrelated goods -- from diet pills and brain boosters to CBD oil. GoDaddy reviewed Unit 42's findings and discovered the sites had been pointing to subdomains belonging to several hundred customers whose accounts had been compromised using legitimate credentials. The attackers most likely accessed those credentials through phishing scams that tricked customers into releasing passwords and also through credential stuffing, which is when hackers exploit the use of the same passwords to secure multiple accounts by taking login data stolen from one site and using it to access another. GoDaddy shut down the compromised subdomains in March, prompting affected customers to reset their passwords and notified them that a security action had been taken. Unit 42 has published [a detailed report](https://unit42.paloaltonetworks.com/takedowns-and-adventures-in-deceptive-affiliate-marketing/)on the investigation, in which White describes how he discovered the network as part of a two-year deep dive into the world of affiliate marketing, how he mapped out the network's infrastructure and uncovered the malicious subdomains that he reported to GoDaddy. It describes how victims are targeted with spam containing shortened links that direct them to websites on compromised accounts that forward them to sites offering products promising miraculous results. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2019/04/Screen-Shot-2019-04-24-at-1.25.34-PM-500x327.png)Unit 42 recommends that consumers be on guard for similar online scams, particularly when considering purchasing goods promoted through email. Users should research all products marketed via email or online ads to determine if it they legitimate. The products highlighted in White's research report all had multiple complaints that were easy to find online. A good rule of thumb is the old adage "if it sounds too good to be true, it probably is." To prevent accounts from being compromised, Palo Alto Networks recommends securing all accounts with unique, strong passwords and implementing two-factor authentication whenever it is offered. *** ** * ** *** ## Related Blogs ### [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown) [#### Unit 42 Sees Surge in Attacks by Nigerian Cybercriminals](https://origin-researchcenter.paloaltonetworks.com/blog/2019/05/unit-42-sees-surge-attacks-nigerian-cybercriminals/) ### [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown) [#### OilRig Data Analysis Shows Breadth of Hacking Campaign](https://origin-researchcenter.paloaltonetworks.com/blog/2019/04/oilrig-data-analysis-shows-breadth-hacking-campaign/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown) [#### Top Three Ways Organizations Were Unprepared for Cyberattacks in 2023](https://origin-researchcenter.paloaltonetworks.com/blog/2024/11/top-three-ways-organizations-were-unprepared-for-cyberattacks-in-2023/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown) [#### Proud Diamond Sponsor at Black Hat USA](https://origin-researchcenter.paloaltonetworks.com/blog/2024/07/proud-diamond-sponsor-at-black-hat-usa/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown) [#### Advancing Innovation and Harnessing AI to Secure the Homeland](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/advancing-innovation-and-harnessing-ai/) ### [Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/platform/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown), [Threat Research](https://www.paloaltonetworks.com/blog/category/threat-research/?ts=markdown) [#### Understanding Three Real Threats of Generative AI](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/three-threats-generative-ai/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language