Re: How did the crims create the sub-domain?
Many domains have wildcard entry in zone file, pointing to some HTTP server sending 302 redirect to proper domain. If HTTP server has been compromised (as obviously it has), it should not be difficult to create one more website matching hostname that the crooks are wishing to hijack. No need to hack DNS server, just use what's already in place.