Taggart 
Just checking in on an old friend.
Oh no.
Oh no.
What are you looking at here? 👆🏽
About a year ago, I uncovered an ongoing campaign to compromise websites—including government and non-profit organizations—via either WordPress attack or subdomain takeover, with the objective of hosting "Slot Gacor" Indonesian gambling sites.
Gambling is illegal in Indonesia, but this method of hosting allows a rotating set of sites to be used and proxied to without anyone ever catching on. And because they're hosted on legitimate domains, detection for interested parties (i.e. Indonesian law enforcement) is difficult.
What is not difficult is the exploitation of the sites. Either by searching GitHub for open secrets, basic brute force, or WordPress plugin vulns, criminals are able to easily get their content onto host sites. This is largely how WordPress and Joomla sites are infected.
But that's actually the harder version. The easier attack is subdomain takeover, in which users of services like GitHub Pages or Pantheon have deleted their sites, but left the DNS record pointing to that service's CNAME. An attacker need only create a page on the same service and claim that domain. Without additional controls (which some services have, although not GitHub, insanely), the domain now points to the attacker's site!
And unless you're paying close attention to your external assets, it can be very easy to miss.
Here's a video of me and HuskyHacks demoing subdomain takeover.
https://www.youtube.com/watch?v=w4JdIgRGVrE
Chandler Kent
davidrperry