Hijacked subdomains still serving malware

Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware.  At the time of that articles publication the attacks had been going on for a month already.  We are still seeing a lot of infected websites pointing back to solk.seamscreative.info (on port 8080) and other sites like it.

The standard attack used in Driveby Downloads required the injection of iframes into normally benign sites however the landing or intermediary sites those iframes pointed to weren't normally registered to benign users.  This represents an interesting evolution of tactics by creating another layer of innocent victim into the network of infections.  The attack has been fairly successful if in the last two months the infected subdomains haven't been taken down yet.  

Considering our own methods of alerting the public to infections it is easy to see why.  The subdomains aren't something the owners will be on the look out for and the DNS registrar likely has no idea that attacks are occurring on their customer base.  According to the blog post at Unmask Parasites the most affected DNS registrar seems to be GoDaddy.  I don't know if this means there is some flaw in their DNS management panel or if legit customers have had their credentials stolen.  Either way this trend warrants more investigation.

UPDATE 7/28: The GoDaddy abuse team has been notified.