"When users visit a website like Wired.com, the DNS system maps the
domain name into an IP address such as 72.246.49.48. But if a
particular site does not exist, the DNS server tells the browser that
there's no such listing and a simple error message should be displayed.
But starting in August 2006, Earthlink instead intercepts that
Non-Existent Domain (NXDOMAIN) response and sends the IP address of
ad-partner Barefruit's server as the answer. When the browser visits
that page, the user sees a list of suggestions for what site the user
might have actually wanted, along with a search box and Yahoo ads.
The rub comes when a user is asking for a nonexistent
subdomain of a real website, such as http://webmale.google.com, where
the subdomain webmale doesn't exist (unlike, say, mail in
mail.google.com). In this case, the Earthlink/Barefruit ads appear in
the browser, while the title bar suggests that it's the official Google
site.
As a result, all those subdomains are only as secure as
Barefruit's servers, which turned out to be not very secure at all.
Barefruit neglected basic web programming techniques, making its
servers vulnerable to a malicious JavaScript attack. That meant hackers
could have crafted special links to unused subdomains of legitimate
websites that, when visited, would serve any content the attacker
wanted."
Article Link: http://blog.wired.com/27bstroke6/2008/04/isps-error-page.html
