Several threat actors have been found to use a named attack method Ducks are sitting to hijack legitimate domains for use in phishing attacks and investment fraud schemes for years.
The findings Infoblox said that in the past three months, nearly 800,000 vulnerable registered domains were identified, of which approximately 9% (70,000) were compromised.
“Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names,” the cybersecurity company said in a report published on The Hacker News. “Affected domains include well-known brands, nonprofits, and government organizations.”
However, the attack vector is little known originally documented by security researcher Matthew Bryant back in 2016, did not attract much attention until the extent of the hijacking was made public in August of this year.
“I think awareness has increased (since then),” Dr. Renee Burton, vice president of threat intelligence at Infoblox, told The Hacker News. “While we are not seeing a decrease in the number of hijackings, we are seeing that customers are very interested in this topic and appreciate being made aware of their potential risks.
A Sitting Ducks attack essentially allows an attacker to seize control of a domain by exploiting misconfigurations in the domain name system (DNS) settings. This includes scenarios where DNS points to an incorrect authoritative name server.
However, there are certain prerequisites for doing this: the registered domain delegates authoritative DNS services to a provider other than the domain registrar, the delegation is limpingand an attacker can “claim” a domain from a DNS provider and configure DNS records without accessing the owner’s valid account at the domain registrar.
Sitting Ducks is easy to execute and stealthy, due in part to the positive reputation of many hacked domains. Some of the domains that have been attacked include an entertainment company, an IPTV service provider, a law firm, a supplier of orthopedic and cosmetic products, a Thai online clothing store, and a tire company.
Threat actors that hijack such domains take advantage of the rebranding and the fact that they are less likely to be flagged as malicious by security tools to achieve their strategic goals.
“It’s hard to detect because if a domain has been hijacked, it’s not lame,” Burton explained. “Without any other signs, such as a phishing page or piece of malware, the only telltale sign is a change in IP addresses.”
“The number of domains is so large that trying to use IP address changes to indicate malicious activity would result in a large number of false positives. We’ve gone ‘back’ to tracking threats that hijack domains by first understanding how they work individually and then tracking that behavior.”
An important aspect common to Sitting Ducks attacks is rotational takeover, where a single domain is taken over by different threat actors over time.
“Threat actors often use service providers that offer free accounts, such as DNS Made Easy, as credit libraries, typically hijacking domains within 30 to 60 days; however, we have also seen other cases where entities have held a domain for an extended period of time,” Infoblox notes.
“After the short-term free account expires, the domain is ‘lost’ by the first threat actor and then either parked or taken by another threat actor.”
Some of the known DNS threat actors that have been found to be feasting on Sitting Ducks attacks are listed below –
- Vacant Viper, who used it for 404 TDS operations, as well as malicious spam operations, porn delivery, command and control (C2) installation, and removal of malware such as DarkGate and AsyncRAT (ongoing as of December 2019)
- Horrid Hawk, who used it to run investment fraud schemes by distributing hijacked domains through short-lived Facebook ads (running since at least February 2023)
- Hasty Hawk, who used it to run widespread phishing campaigns that mainly impersonate DHL shipping pages and fake donation sites that impersonate supportukrainenow(.)org and claim to support Ukraine (running since at least March 2022)
- VexTrio Viperwho previously operated his TDS (ongoing from early 2020)
Infoblox reports that a number of VexTrio Viper affiliates, such as GoRefresh, have also been involved in Sitting Ducks attacks to run fake pharmaceutical campaigns online, as well as gambling and dating scams.
“We have several entities that appear to be using domains for C2 malware where hijacking is sent through postal services,” Burton said. “While others use them to spread spam, these members configure their DNS just to receive mail.”
This suggests that attackers are using hijacked domains for a variety of reasons, putting both companies and individuals at risk of malware, credential theft, and fraud.
“We discovered several entities that seized domains and held them for an extended period of time, but we were unable to determine the purpose of the seizure,” Infoblox concluded. “These domains tend to be highly reputable and typically go unnoticed by security vendors, creating an environment where smart actors can deliver malware, commit rampant fraud, and spoof user credentials with impunity.”
