Adex - carmax subdomain takeover

Another Case of Subdomain Takeover Detected: Potential Fraud on Carmax Website

Shortly after Adex specialists discovered a potential fraud case on FC Barcelona’s website, a similar issue was identified on another popular website – Carmax.com.

Adex provides anti-ad fraud services to one of the biggest global ad platforms – PropellerAds. The company pays close attention to the quality of ad campaigns launched via its platform and also carefully verifies that URLs provided, in fact, belong to advertisers.

During a standard automated campaign check, Adex’s staff was alerted about a suspicious link leading to a well-known vehicle retailer – Carmax. 

Apart from being a top-rated company in the USA and one of the country’s largest retailers of used cars, the Carmax domain is also a tidbit for fraudsters, with over 13M monthly organic visits.

Adex - Semrush - Carmax
Data from SemRush

Having in mind the previous case with subdomain takeover, the specialists instantly began investigating the matter.

Adex - carmax - suspicious subdomain
A suspicious subdomain
Adex - carmax - suspicious subdomain

While the root domain’s content centers on car reselling, the subdomain focuses on gambling, an improbable combination of topics for multiple reasons, starting from SEO to legal complications.

Once the NS records had been compared, it came out that the root domain was hosted on Akamai DNS, and the subdomain was managed with Microsoft Azure.

Adex - carmax - root domain dig
Root domain
Adex - carmax - potential fraud - subdomain
Subdomain

Fake subdomain

What is peculiar about this case is the name of the potentially fraudulent subdomain – expresstestdrives-qa.carmax.com – thematically matched with the root domain; it would be harder for website owners to detect.

As it’s typical for subdomain takeover scenarios, the indexation was turned off, so no one could simply Google the page, and the traffic spikes most probably went unnoticed for domain owners as the subdomain was hosted on a different server.


A pattern emerging

Adex specialists emphasize that subdomain takeover doesn’t threaten only big websites; smaller businesses are also at risk:

“ It’s becoming more and more common to see hijacked subdomains, and definitely there is a pattern here. Potentially illegal gambling companies are stealing subdomains, hosting them on different servers, and taking advantage of companies’ reputation and domain ranking. We recommend using anti-ad fraud tools and regularly checking your NS records to prevent fraud.”

Adex has already contacted the Carmax website and will add any comments should they follow.

    Get a quote

    Your company is a...

    Our representative will be in touch with you within 1 business day