So, okay. Apparently some ISP's have started a practice of giving custom 404 pages with ads on them. This probably sounds like a great idea to a business major. For someone with a computer background, on the other hand, allowing actual data to be transferred to and from addresses that don't actually exist should probably sound like a bad idea. (Every net admin who actually implemented this system is unworthy of the job title.)
Per
The Reg, Earthlink's ad host allows for what they're calling Provider-in-the-Middle attacks (a variation on Man-in-the-Middle, in which a third party intercepts secure communications and tricks each side into believing he's the other). In essence, if you type in "ww.microsoft.com", you get a 404 page that your browser believes is actually on a valid Microsoft subdomain. Using an XSS vuln, someone can link to that phony subdomain and access your microsoft.com cookies and, I would imagine, set up phishing sites which pass a security cert check.
Earthlink's ad company has already closed the hole, but there are bound to be others like it. This is an inherently bad idea; deliberately spoofing a website is, by its very nature, an invitation for phishing attacks.
Dan Kaminsky, the security researcher who found the hole, has also tied the issue back to net neutrality -- this is, after all, a concrete example of ISP's interfering with the content their users receive.