Take a look at this explanation of subdomain hijaking via DNS cPanels. isc.sans * edu/diary/What+s+In+A+Name+/11770 (replace * with . and remove spaces since I don't have the ability to include URLS yet.) It seems that this is an easy way to get massive PR super fast. But, how hard is it to cover your tracks? And what brute force tools would you need to access a dns host? How would you take advantage of this totally BH method? I would just ride on an offline SEO client of mine if I thought it wouldn't be traced back to me and make me lose the client? In fact, I would be able to get a double ROI because anything I do for them also boosts my riding subdomain, and anything I do for myself will help my client see SERp results.