When a network intel provider’s domain serves fraudulent content, something is wrong

Enlarge / The first of eight pages of results showing fraudulent PDFs available on vps4-atl1.ag0.thousandeyes.com. (credit: Dan Goodin)
ThousandEyes, a San Francisco-based network intelligence service, helps customers monitor all kinds of mission-critical things, from border gateway protocol leaks to DNS performance. But over the past week or so, the company has struggled with its own networking blunder that allowed scammers to host hundreds of thousands of fraudulent documents on its very own domain.

The first of eight pages of results showing fraudulent PDFs available on vps4-atl1.ag0.thousandeyes.com. (credit: Dan Goodin)

As the screenshot above shows, vps4-atl1.ag0.thousandeyes.com was hosting PDFs promoting screenplays, books, and how-to guides. By being available on a subdomain of a legitimate network intelligence company, the content was designed to manipulate Google search results in a way that tricked people into clicking on questionable links. Google searches suggest that the documents were hosted on the subdomain since the beginning of the month, before being removed on Tuesday, as this story was being reported.
To park their content, the scammers took advantage of a lapse in the management of the ThousandEyes.com domain. An entry in the domain’s authoritative name servers pointed to the IP address 74.207.229.178. The IP address belongs to Web host Linode. ThousandEyes used the IP in the past, but at some point it stopped doing so. ThousandEyes admins, however, failed to remove the DNS entry from the name servers. The scammers then noticed the lapse, obtained the same IP address from Linode, and used it to host the scammy documents.
Read 7 remaining paragraphs | Comments