DNS predators steal 70K websites with simple hack: researchers warned it was coming


In less than half a year, cybercrooks have hijacked 70,000 domains out of an estimated 800,000 that are vulnerable to a simple ‘Sitting Ducks’ attack. Security researchers had warned the attacks were imminent unless owners implemented a simple fix. Yet, few owners did.

In July 2024, Infoblox Threat Intel researchers alerted about the underreported and easily exploitable Sitting Ducks vulnerability, affecting millions of websites.

Since then, at least 70,000 domains tracked by researchers have fallen into the hands of attackers.

ADVERTISEMENT

Among them are URLs belonging to CBS Interactive, McDonald’s Corporation, JM Eagle, and Mississippi Baptist Health Systems. Hackers even hijacked Missouri.com, according to a new report.

“Victim domains include well-known brands, non-profits, and government entities,” Infoblox Threat Intel said.

All attackers need to do is take advantage of DNS settings' misconfigurations for a specific domain. These attacks are easy to execute and hard to detect. However, the configuration vulnerability, known as ‘lame delegation,’ is not recognized as an official CVE (Common Vulnerability and Exposure) by authorities.

Some hijacked websites change hands frequently as threat actors compete and steal the same domains from each other.

vilius Ernestas Naprys Niamh Ancell BW Paulina Okunyte
Get our latest stories today on Google News

How does it work?

As Cybernews reported previously, the Sitting Duck attack requires a few conditions. First, the domain name should be registered with one provider (registrar), but then the other provider handles the actual DNS services for that domain.

Then, the delegation has to be ‘lame’ (outdated or mismanaged). This means the DNS server does not have information about the website and cannot resolve its address.

ADVERTISEMENT

Crucially, the DNS provider itself needs to be “exploitable” and allow attackers to “claim” the domains and set up new DNS records without accessing the real owner’s account.

It appears that misconfigured DNS name servers are very common and allow malicious actors to gain full control of the domain by taking over its DNS configuration.

“Overall, we estimate that over 1M registered domains are vulnerable to a Sitting Duck attack on a given day. Most vulnerable domains we have discovered have name servers assigned to one of a small handful of DNS providers,” the researchers warn.

Cybercrooks use hijacked domains with positive reputations to set up infrastructure for other cyberattacks, as they allow them to evade detection. Visitors can then be redirected to an attacker-controlled server, disseminating malicious content.

Cybercriminals often target free online services, like DNS Made Easy, to temporarily park domain names for 30-60 days. After the free period expires, the domains are ‘lost’ and claimed by other attackers.

Ant this attack vector is entirely preventable with correct configurations at the domain registrar and DNS providers.

“DNS misconfigurations are an oversight arising from many factors. Multiple parties can play a role in fixing them: the domain holder owns their domain configurations, and both registrars and DNS providers can make these types of hijacks harder to perform or easier to remediate,” Infoblox said.

The researchers discovered two main threat actors exploiting this vulnerability. The first one, dubbed Vacant Viper, steals 2,500 domains each year and uses them for spam operations, porn delivery, command and control centers, and malware distribution.

Another threat actor, Vextrio Viper, runs “the largest known cybercriminal affiliate program, routing compromised web traffic to over 65 affiliate partners.” It uses hijacked domains as part of its massive traffic distribution system.

ADVERTISEMENT