Image: Palo Alto Networks

Web hosting provider and domain registrar GoDaddy has taken down more than 15,000 subdomains that were being used as part of a spam operation that lured users on web pages selling fake products.

Users would typically receive a spam email promoting a product, and if they'd click links in these emails, they'd land on one of these subdomains, hosted on legitimate sites -without the site's legitimate owner's knowledge.

The common theme among all the scammy subdomains was that they all sold products backed by bogus endorsements from celebrities.

Celebrity names used in these scams include Stephen Hawking, Jennifer Lopez, Gwen Stefani, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, and others.

Most of the products advertised via these subdomains were brain supplements, CBD oil, weight loss pills, and other dietary products.

A two-year investigation

GoDaddy wasn't the party who discovered this massive network of shady domains, but Palo Alto Networks security researcher Jeff White.

The researcher first encountered this gang's shady domains nearly two years ago, when he also started an investigation into their operations.

Ever since then, the researcher has been collecting spam email that the scammers have been sending out in droves each they, and indexing the subdomain URLs promoting these fake products.

Earlier this year, White shared his findings with GoDaddy, where most of these domains were being hosted.

Scammers hacked into GoDaddy accounts

According to GoDaddy's own investigation, the company believes the scammer group used either phishing or credential stuffing attacks to gain access to its customers' accounts over the past few years.

Once they gained access to GoDaddy accounts, the operators of this scam would create a subdomain for the customers' legitimate sites, which they'd later use to host one of the shady product promo pages and lure users with email spam campaigns.

The web host put the number of hacked accounts at "several hundred."

After taking down the 15K+ subdomains hosted on its servers last month, GoDaddy also reset passwords for compromised accounts and notified impacted users, so they can evaluate if the intruders had left other malware inside compromised accounts.

The traffic believed to have landed on the scammy subdomains is believed to be in the range of millions of hits. White also published an extensive report today documenting his two-year investigation.

More cybersecurity coverage: