subdomains
"Edwards said, the crooks try to hide their presence once they've hijacked a subdomain, making the root URL show a 404 or "coming soon" message."
I have seen happening a lot with WordPress sites.
The root URL will show a "coming soon" or just a shell of a site that looks like it's under construction but is actually a SMTP server sending out spam and phishing emails.
I am usually very attentive to what goes on with my web browsers URL bar and keep an eye out for multiple redirects and other oddities.
(like when I went to log into my favorite IT site and noticed it redirected from .co.uk to .com)