How Corporate Threat Actors Weaponize SEO Poisoning and Subdomain Takeovers

TLDR: A sophisticated threat actor group is using the CPABuild platform to orchestrate large-scale ad fraud by compromising high-authority government and educational domains. By injecting malicious content into these trusted sites, they manipulate search engine rankings to deliver malware and fraudulent subscription offers to unsuspecting users. Security teams must prioritize monitoring for unauthorized content on their subdomains and implement strict controls over DNS records to prevent subdomain takeovers.

Search engine optimization is usually discussed in the context of marketing, but for a specific class of corporate threat actors, it is a primary attack vector. These groups are not just hacking for data; they are building automated, scalable businesses that treat high-authority domains as free hosting infrastructure. By compromising subdomains of government and educational institutions, they ensure their malicious payloads rank on the first page of search results for high-volume queries like "free V-Bucks" or "free Robux."

The Mechanics of the Operation

The attack flow is remarkably consistent and relies on the trust search engines place in established domains. The process begins with the identification of vulnerable subdomains, often through subdomain takeovers where a CNAME record points to a cloud service that is no longer active or has been abandoned. Once the attacker gains control of the DNS record, they deploy a landing page designed to look like a legitimate resource, such as a PDF download or a game currency generator.

These pages are not static. They are integrated with CPABuild, a platform that provides the infrastructure for these scams. The landing pages use "locker" scripts that force the user to complete a survey or download an application before they can access the promised content. This is where the ad fraud occurs. The user is funneled through multiple redirects, often managed by a traffic distribution system like BlackTDS, which filters incoming traffic based on IP reputation. If the visitor is identified as a security researcher or a bot, the system serves benign content. If the visitor is a target, they are served the malicious payload or the fraudulent offer.

Technical Evasion and Infrastructure

What makes this operation particularly difficult to track is the use of dynamic redirection. The attackers use a chain of three or four hops to obfuscate the final destination of the traffic. By the time a security scanner hits the final landing page, the session may have already expired or the IP may have been blacklisted by the attacker’s own infrastructure.

For example, a common technique involves using Google Dorks to identify compromised servers running specific vulnerable configurations. A pentester can use these same dorks to audit their own infrastructure:

# Search for common deployment artifacts left by the attackers
inurl:download_custom.aspx
inurl:cpabuild-deployment-test

If you find these files on your infrastructure, you are likely already compromised. The attackers are not just using these for testing; they are using them to verify that their malicious scripts are executing correctly on the target server. Once verified, they swap the test page for the live scam page.

Real-World Impact and Attribution

The impact of this activity extends beyond simple ad fraud. Because these scams are hosted on .gov and .edu domains, they bypass many traditional reputation-based filters. Users, including children, are conditioned to trust these domains, making them significantly more likely to click on malicious links or download .exe files disguised as legitimate software.

We have seen this specific threat actor group target organizations ranging from state lotteries to major research laboratories. The CVE-2022-0796 vulnerability, while specific to a different context, highlights the danger of misconfigured cloud services that lead to these types of takeovers. When a government agency migrates its infrastructure to a cloud provider but fails to clean up its DNS records, it leaves a door wide open for these actors to move in and set up shop.

Defensive Strategies for Security Teams

Defending against this requires a shift in how we view our external attack surface. It is no longer enough to secure the primary domain. You must maintain a comprehensive inventory of every subdomain and the services they point to. If a service is decommissioned, the corresponding DNS record must be removed immediately.

Furthermore, implement automated monitoring for unauthorized content on your subdomains. A simple script that periodically crawls your subdomains and checks for unexpected keywords or redirects can save you from becoming a host for a global scam network. If you are a pentester, include subdomain takeover checks in your standard reconnaissance phase. It is a low-hanging fruit that these actors are harvesting at scale.

These groups are not going away because their business model is profitable. They have successfully commoditized the exploitation of trust. As long as they can turn a profit by abusing the reputation of legitimate organizations, they will continue to refine their techniques. The only way to disrupt them is to make their infrastructure more expensive to maintain than the revenue it generates. Start by cleaning up your DNS records and auditing your cloud service configurations today.