Abandoned Subdomains from Major Institutions Hijacked for AI-Generated Spam (404media.co) 17
A coordinated spam operation has infiltrated abandoned subdomains belonging to major institutions including Nvidia, Stanford University, NPR, and the U.S. government's vaccines.gov site, flooding them with AI-generated content that subsequently appears in search results and Google's AI Overview feature.
The scheme, reports 404 Media, posted over 62,000 articles on Nvidia's events.nsv.nvidia.com subdomain before the company took it offline within two hours of being contacted by reporters. The spam articles, which included explicit gaming content and local business recommendations, used identical layouts and a fake byline called "Ashley" across all compromised sites. Each targeted domain operates under different names -- "AceNet Hub" on Stanford's site, "Form Generation Hub" on NPR, and "Seymore Insights" on vaccines.gov -- but all redirect traffic to a marketing spam page. The operation exploits search engines' trust in institutional domains, with Google's AI Overview already serving the fabricated content as factual information to users searching for local businesses.
The scheme, reports 404 Media, posted over 62,000 articles on Nvidia's events.nsv.nvidia.com subdomain before the company took it offline within two hours of being contacted by reporters. The spam articles, which included explicit gaming content and local business recommendations, used identical layouts and a fake byline called "Ashley" across all compromised sites. Each targeted domain operates under different names -- "AceNet Hub" on Stanford's site, "Form Generation Hub" on NPR, and "Seymore Insights" on vaccines.gov -- but all redirect traffic to a marketing spam page. The operation exploits search engines' trust in institutional domains, with Google's AI Overview already serving the fabricated content as factual information to users searching for local businesses.
Something fishy... (Score:5, Interesting)
How do you abandon a subdomain? Unless an attacker can infiltrate your DNS servers, there's no such thing as an "abandoned" subdomain.
Otherwise insert_random_string_here.microsoft.com would be fair game.
Re:Something fishy... (Score:5, Informative)
Replying to myself... oh, OK, they decommissioned the domains, but left the DNS records pointing to IP addresses that were probably on AWS or some other cloud provider, so the attacker (somehow) obtained those IP addresses.
Well, that's just dumb. If you stop using a subdomain, you should unpublish the DNS records first before releasing the IP addresses.
Re:Something fishy... (Score:5, Interesting)
Traditionally you'd have your own block of IP addresses so people were lazy about deleting subdomains, as they would still point to your block even if the actual server had been shut off, rendering the stray subdomains harmless.
And with IPv6, AWS still works this way - you get a block.
With legacy IPv4 AWS and other providers have a severe shortage, so they don't allocate blocks to customers. You get a single address allocated from a random pool. And when you stop using that address it goes back into the pool ready to be allocated to another customer. So someone malicious can spin up cloud instances until they hit upon one that has a stray A record pointing to it.
This is just one of the dangerous side effects from the kludges used to keep legacy IPv4 limping along. People are not aware of the extra risk involved, and how something that was previously harmless is now highly dangerous.
Re: (Score:2)
That is the question.
I can see if they outsourced something and delegated a subdomain and the contract expired and then somehow the spammers got the IP's (hosting farm?) which had been abandoned and set up DNS.
But I've never been able to request a specific IP when setting up a VPS or colo, so it's kinda a mystery to me.
404 should have included the most basic of details.
Re: (Score:2)
Repeat instance creation until you get the IP? I wonder if you could get on the same subnet and then just take the IP as static? I'd hope not for the latter.
Re: (Score:3)
Cloud providers are not subnet based...
Legacy IPv4 addresses are in a shared pool behind a NAT gateway, and are then forwarded to customer instances on demand. There are APIs so although the addresses you get are random you can very quickly cycle through them until you hit on the one you want.
IPv6 with AWS at least works in the traditional way - each customer gets their own routed block(s), so if you kill a single instance the block is still yours and the address of the instance just goes dead.
Re: (Score:2)
Repeat instance creation until you get the IP?
The usual practice is to have rate limits on the API to prevent things like runaway ansible playbooks creating thousands of allocations. I don't recall which of the cloud providers but that API limit was usually set to no more than 50 to 100 VPS creations within 24 hours. Yes, the limit could be raised. One customer doing quite legitimate work would start spinning up thousands of VPSs at XAM their time, and spin them down at the end of their work. I am not allowed to say why, but it made sense to me, kinda.
Re: (Score:2)
Testing 100 IPs per day can be enough to eventually find the right one. You see the survivors, not the many failed attempts.
Re: (Score:2)
But I've never been able to request a specific IP when setting up a VPS or colo, so it's kinda a mystery to me.
Support at [different cloud providers I worked at] would sometimes raise a ticket to allocate IPs to specific customer VPS instations. Unless it was a well established customer, such requests were usually declined but given root access to the infrastructure, it's possible to do - if there's a good enough reason to do it. Money for one. Big customer (which is another way to say "money") is another. I've even seen cases at one cloud company that would delete someone's instantiation without warning to evacuate
Re: (Score:2)
Abandoned wordpress installs combined with auto-renewing certificates that can hang around for years once a site has been compromised rather than expiring after a couple of years. Or, they're pointed to some CDN somewhere or a cloud service or something. Man oh man the possiblities are endless.
Automation is going to kill us all.
Re: (Score:2)
Maybe, but I'm sure the "automation attendant" class will be fine.
Re: (Score:2)
You CNAME it to a domain that expired.
Re: (Score:2)
If you control a subdomain of a known organisation there are a LOT of malicious things you can do. People will assume it's an authoritative site for that organisation and are far more likely to follow instructions or run software presented there. Take the nvidia subdomain, someone could put malware there purporting to be an important driver update and a lot of people would trust it.
Dangling A records are a known problem (Score:2)
Former sysadmin here. This is primarily a case of DNS neglect intersecting with IPv4 scarcity and cloud IP recycling. When there are only so many IP addresses and every marketing team on Earth wants a vanity subdomain for a two-week campaign, something’s gonna give. The problem is broken DNS hygiene and lax subdomain lifecycle management, so the solution is cultural and procedural.
The root cause is pretty straightforward: when an A record—or a CNAME chain—still points to an IPv4 address