Linassol, Cyprus, – ADEX has identified a series of advertising campaigns that relied on subdomain takeovers to host landing pages promoting iGaming services. The activity was detected during routine monitoring of digital advertising traffic in February 2025, when analysts noticed unusual patterns appearing across a limited number of countries and advertising verticals.
The initial anomaly prompted a deeper investigation. During the review, analysts collected and examined additional campaigns that displayed similar characteristics. The analysis showed that multiple campaigns were directing users to landing pages hosted on subdomains belonging to government and educational institutions, particularly within Indonesian domain zones.
Domains within government and academic zones are typically assigned through formal administrative processes and are restricted to recognized institutions. Private advertisers cannot legitimately obtain access to these domains. Their appearance in advertising campaigns raised concerns that the domains were being used without authorization or had been compromised.
Examples of the affected domains included landing pages hosted on subdomains associated with Indonesian educational institutions. One case involved a page hosted under the domain of Universitas Islam Majapahit, while another appeared under the library subdomain of Indramayu State Polytechnic. Both pages contained promotional material linked to iGaming content.
During the investigation, similar patterns were discovered outside Indonesia. Additional landing pages were found on domains linked to universities in the United States and on private commercial websites in other regions. These pages also hosted iGaming-related content despite being unrelated to the advertised services.
All of the identified campaigns promoted iGaming services, regardless of whether the hosting domains belonged to universities, municipal authorities, or unrelated businesses. When advertisers were asked to provide clarification and supporting documentation regarding their use of these domains, the responses either lacked sufficient detail or were not provided.
The investigation concluded that several of the affected domains had likely been exposed to subdomain takeover vulnerabilities. According to the Open Web Application Security Project (OWASP), subdomain takeover is categorized under A05: Security Misconfiguration.
A subdomain takeover can occur when a domain owner leaves a DNS record pointing to an external service that is no longer in use. If the cloud resource associated with that DNS entry is deleted, another party may claim the resource and host content under the same subdomain without the knowledge of the original domain owner.
In the cases reviewed by ADEX, many of the affected domains were structured as third-level subdomains that pointed to external cloud services. Once those services were removed or misconfigured, attackers were able to claim the same cloud storage addresses and deploy their own content.
The investigation also found that not all cases were caused solely by DNS misconfiguration. Some domains appeared to be affected by vulnerabilities in web servers or content management systems. In other instances, compromised administrator credentials may have allowed unauthorized access to hosting environments.
Attackers often rely on subdomain takeovers because they offer both cost advantages and increased credibility. By using existing subdomains on trusted domains, attackers avoid registering new domains and building a reputation from scratch. Content hosted on government or educational subdomains may also bypass basic reputation filters and appear more legitimate to users and automated security systems.
ADEX identified fraudulent activity associated with the campaigns, including advertising traffic directed to landing pages designed to collect user information and promote unregulated iGaming services through compromised trusted domains.
Following the investigation, the ADEX team implemented measures to block the affected campaigns and prevent further misuse of compromised domains within monitored advertising traffic.
Security specialists recommend that organizations regularly audit their domain infrastructure to reduce the risk of subdomain takeover. Suggested practices include reviewing DNS records, removing unused subdomains, maintaining web servers and content management systems, enabling two-factor authentication for administrator accounts, and monitoring websites for unexpected changes in content or traffic patterns.
The findings highlight how unused or poorly maintained subdomains can become entry points for unauthorized activity. Maintaining control over domain infrastructure remains an important factor in reducing security risks and preventing misuse of trusted web assets.
About ADEX
Adex is a digital advertising monitoring and security analysis team that tracks advertising traffic patterns, detects suspicious campaign behavior, and investigates fraud and security risks within online advertising ecosystems. The team conducts ongoing analysis of advertising infrastructure to identify threats, document emerging techniques, and support safer digital advertising environments worldwide.
Contact:
Name:Micahel Gor
Company: Adex
Website: www.adex.com
Email: [email protected]
