A recent discovery by Infoblox reveals that nearly 800,000 vulnerable registered domains have been targeted by cybercriminals using the “Sitting Ducks” attack technique. This method allows attackers to hijack legitimate domains for phishing attacks and investment fraud schemes.
Since 2018, cybersecurity researchers have documented this vector, but it gained significant attention only recently after the scale of the hijacks was disclosed in August. Infoblox’s vice president of threat intelligence, Dr. Renee Burton, notes that while the number of hijackings hasn’t decreased, awareness around the topic has increased among customers.
The Sitting Ducks attack works by exploiting misconfigurations in domain name system (DNS) settings, particularly when a registered domain delegates authoritative DNS services to a different provider than the domain registrar. Attackers can then seize control of the domain and set up DNS records without access to the valid owner’s account.
Infoblox has identified several threat actors, including Vacant Viper, Horrid Hawk, and Hasty Hawk, who have been using this technique for various malicious purposes, such as operating phishing campaigns, distributing malware, and conducting investment fraud schemes. These actors often use free accounts from service providers like DNS Made Easy to hijack domains for short-term periods before “losing” the domain.
The commonality among these attacks is rotational hijacking, where one domain is repeatedly taken over by different threat actors over time. Infoblox has noted that this technique allows attackers to maintain a wide range of malicious activities without being detected.
As a result, both businesses and individuals are at risk of malware, credential theft, and fraud. The fact that these domains often have high reputations and are not typically noticed by security vendors creates an environment where clever actors can deliver malware and commit fraudulent activities with relative ease.
Source: https://thehackernews.com/2024/11/experts-uncover-70000-hijacked-domains.html