Massive Domain Heist: 70,000 Websites Silently Hijacked in ‘Sitting Ducks’ Cyber Campaign

Massive Domain Heist: 70,000 Websites Silently Hijacked in 'Sitting Ducks' Cyber Campaign

“Sitting Ducks” Domain Hijacking: A Growing Cybersecurity Threat

Key Findings:
– Infoblox discovered approximately 800,000 vulnerable domains in a three-month period, with 70,000 (9%) being successfully hijacked
– This attack vector has been active since 2018, affecting major brands, non-profits, and government entities

How It Works:
The Sitting Ducks attack exploits DNS misconfigurations when:
1. A domain uses different providers for DNS services and domain registration
2. The DNS delegation is incorrectly configured
3. Attackers can claim the domain at the DNS provider without proper authentication

Major Threat Actors and Their Activities:
– Vacant Viper: Operates 404 TDS, spreads malware (DarkGate, AsyncRAT)
– Horrid Hawk: Conducts investment fraud via Facebook ads
– Hasty Hawk: Runs phishing campaigns mimicking DHL and Ukraine donation sites
– VexTrio Viper: Operates TDS and various scam campaigns

Impact and Challenges:
– Difficult to detect due to legitimate domain reputation
– Enables various malicious activities including malware distribution, phishing, and fraud
– Some domains face “rotational hijacking,” being repeatedly taken over by different attackers
– Hijacked domains can be held anywhere from 30-60 days to extended periods

Prevention requires regular monitoring of DNS configurations and maintaining proper security protocols between domain registrars and DNS providers.

Share This Article