GoDaddy has shut down over 15,000 website subdomains for helping email spammers redirect people to snake oil products including miracle weight loss drugs and brain enhancement pills.

The 15,000 subdomains were all created by a group of scammers intent on spreading their messages across the internet, according to Jeff White, a security researcher at Palo Alto Networks. On Thursday, he published a report documenting how the scheme may have reached millions of consumers.

Typically, internet platforms and email inboxes will screen out spam with the help of filters, which will look at where a message has come from. If the email originated from an already blacklisted domain, it won't get through.

So to beat the spam filters, the scammers came up with devious solution: They've been breaking into legitimate web hosting accounts on GoDaddy to help serve up their spam email messages. According to White, the culprits compromised hundreds of GoDaddy accounts to create the 15,000 subdomains, which were designed to redirect people to the snake oil product sites.

"By using unrelated subdomains, they (the scammers) can 'shadow' the reputation of the parent site and hopefully skirt under the radar of prevention tools," White told PCMag.

To break into the GoDaddy accounts, White said the scammers likely used phishing emails to trick account holders into giving up their passwords. The culprits may have also used an automated password-guessing tactic known as credential stuffing as well. Once the subdomains were created, the scammers could then place links to them in their spam messages.

People who clicked on the links would then be brought to a website promoting the snake oil goods. Notably, the sites often featured bogus endorsements from celebrities including Stephen Hawking, Jennifer Lopez and Gwen Stefani.

Whether or not anyone actually bought the products isn't clear. However, some of the individual links were on average clicked on 273 times, White said in his report. If each of the 15,000 subdomains attracted the same click totals, then thousands of people, if not millions, may have encountered the spam.

Buying from these snake oil product sites isn't advised. According to White, they often contain some fine print at the bottom about re-billing your credit card unless you cancel the subscription. "Hopefully someone notices before it's too late, but more often than not, at least one cycle goes through and the merchants laugh all the way to the bank," he wrote in his report.

White began investigating the scheme back in 2017 when he noticed many of the spam snake oil sites used similar design templates. In response to his research, GoDaddy in March pulled the plug on the 15,000 subdomains. To prevent account takeovers, the company recommends users activate the multi-factor authentication security option and use stronger passwords.

Further Reading

Security Reviews