You’ve seen the ads in your email or online: Celebrities supposedly hawking miracle weight-loss cures or galaxy brain supplements. They’re endemic to the web, as deeply ingrained as hashtags and puppies. But even though plenty of people fall for them, no one ever really does anything about it. Of all the security threats online, spam ranks pretty low on the priority list.

Which is why it’s surprising, and welcome, that GoDaddy and security firm Palo Alto Networks’ Unit 42 have taken down 15,000 subdomains dedicated to selling those phony pharmaceuticals under false pretenses. The two-year investigation that led them there offers some useful insights into what makes these campaigns tick.

Spamalot

The details vary slightly from one spam scam to the next, but the campaign that Palo Alto Networks researcher Jeff White tracked follows the same basic steps. It starts with an email, one that claims Stephen Hawking or Gwen Stefani or the Shark Tank crew swears by a dodgy medical product. The URL is shortened, so you can’t see where it leads. After a couple of redirects, you land on a domain that looks like TMZ, E! Online, or some other legitimate site. Every single clickable element on that page—even the ones that look benign, like a Facebook like or Contact Us form—leads to another page that tries to sell you fake drugs.

Palo Alto Networks

If they’re successful, and you give them your credit card number, two things happen. First, the affiliate marketing spammer who likely created the subdomain gets a cut of the sale. And whoever’s peddling the bogus goods might send you a free sample—but they'll also start charging you as much as $100 a month from then on, with ongoing subscription fees buried deep in the terms of service.

“When people go to cancel, they realize that they can’t,” says Jen Miller-Osborn, deputy director of threat intelligence at Unit 42. “A lot of times when they try to contact the company, no one gets back to them. No one's ever going to get back to them, because that’s how these companies make their money, off of these refills.”

The only recourse, Miller-Osborn says, is going to your credit card company and hoping they’ll cancel the charges.

Account Takeover

Jeff White has never fallen for one of these scams, but like many internet users, they caught his eye several years ago. He has tracked them diligently since 2017, when he first noticed that many of the sites appeared to share a common template. “I began noticing slight variations every month until something clicked, and what once was background noise now was something of interest,” White writes in a blog post detailing the investigation, which covered hundreds of spam sites.