Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years.
The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently hijacked.
“Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names,” the cybersecurity company said in a deep-dive report shared with The Hacker News. “Victim domains include well-known brands, non-profits, and government entities.”
The little-known attack vector, although originally documented by security researcher Matthew Bryant way back in 2016, didn’t attract a lot of attention until the scale of the hijacks was disclosed earlier this August.
“I believe there is more awareness [since then],” Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. “While we haven’t seen the number of hijackings go down, we have seen customers very interested in the topic and grateful for awareness around their own potential risks.
The Sitting Ducks attack, at its core, allows a malicious actor to seize control of a domain by leveraging misconfigurations in its domain name system (DNS) settings. This includes scenarios where the DNS points to the wrong authoritative name server.
However, there are certain prerequisites in order to pull this off: A registered domain delegates authoritative DNS services to a different provider than the domain registrar, the delegation is lame, and the attacker can “claim” the domain at the DNS provider and set up DNS records without access to the valid owner’s account at the domain registrar.
Sitting Ducks is both easy to perform and stealthy, in part driven by the positive reputation that many of the hijacked domains have. Some of the domains that have fallen prey to the attacks include an entertainment company, an IPTV service provider, a law firm, an orthopedic and cosmetic supplier, a Thai online apparel store, and a tire sales firm.
The threat actors who hijack such domains take advantage of the brand reposition and the fact that they are unlikely to be flagged by security tools as malicious to accomplish their strategic goals.
“It is hard to detect because if the domain has been hijacked, then it is not lame,” Burton explained. “Without any other sign, like a phishing page or a piece of malware, the only signal is a change of IP addresses.”
“The number of domains is so vast that attempts to use IP changes to indicate malicious activity would lead to a lot of false positives. We ‘back in’ to tracking the threat actors that are hijacking domains by first understanding how they individually operate and then tracking that behavior.”
An important aspect that’s common to the Sitting Ducks attacks is rotational hijacking, where one domain is repeatedly taken over by different threat actors over time.
“Threat actors often use exploitable service providers that offer free accounts like DNS Made Easy as lending libraries, typically hijacking domains for 30 to 60 days; however, we’ve also seen other cases where actors hold the domain for a long period of time,” Infoblox noted.
“After the short-term, free account expires, the domain is ‘lost’ by the first threat actor and then either parked or claimed by another threat actor.”
Some of the prominent DNS threat actors that have been found “feasting on” Sitting Ducks attacks are listed below –
- Vacant Viper, which has used it to operate the 404 TDS, alongside running malicious spam operations, delivering porn, establishing command-and-control (C2), and dropping malware such as DarkGate and AsyncRAT (Ongoing since December 2019)
- Horrid Hawk, which has used it to conduct investment fraud schemes by distributing the hijacked domains via short-lived Facebook ads (Ongoing since at least February 2023)
- Hasty Hawk, which has used it to conduct widespread phishing campaigns that primarily mimic DHL shipping pages and fake donation sites that mimic supportukrainenow[.]org and claim to support Ukraine (Ongoing since at least March 2022)
- VexTrio Viper, which has used to operate its TDS (Ongoing since early 2020)
Infoblox said a number of VexTrio Viper’s affiliates, such as GoRefresh, have also engaged in Sitting Ducks attacks to conduct fake online pharmaceutical campaigns, as well as gambling and dating scams.
“We have a few actors who appear to use the domains for malware C2 in which exfiltration is sent over mail services,” Burton said. “While others use them to distribute spam, these actors configure their DNS only to receive mail.”
This indicates that the bad actors are leveraging the seized domains for a broad spectrum of reasons, thereby putting both businesses and individuals at risk of malware, credential theft, and fraud.
“We have found several actors who have hijacked domains and held them for extensive periods of time, but we have been unable to determine the purpose of the hijack,” Infoblox concluded. “These domains tend to have a high reputation and are not typically noticed by security vendors, creating an environment where clever actors can deliver malware, commit rampant fraud, and phish user credentials without consequences.”
