Infoblox Threat Intel has unveiled alarming findings regarding a largely overlooked cyber threat: domain hijacking through "Sitting Ducks attacks." This method, which has been gaining traction since 2018, allows cybercriminals to seize control of domains by manipulating their DNS configurations. Infoblox’s latest report estimates that over 1 million registered domains are potentially vulnerable each day, highlighting the significant risk posed to organisations across various sectors.
The report builds on previous research and reveals that approximately 800,000 domains were identified as vulnerable, with around 70,000 already hijacked. This worrying trend underscores the need for increased awareness and proactive measures in the cybersecurity community.
Several key threat actors have emerged in this space, including Vacant Viper and Vextrio Viper. Vacant Viper is known for hijacking about 2,500 domains annually since late 2019, using them to enhance a malicious traffic distribution system called 404TDS.
This system facilitates various illegal activities, such as distributing spam, delivering malware like DarkGate and AsyncRAT, and establishing control for remote access trojans (RATs). Notably, Vacant Viper targets high-reputation domains rather than specific brands, aiming to avoid detection by security measures.
Vextrio Viper, another major player, operates one of the largest cybercriminal affiliate programs, leveraging hijacked domains to channel compromised web traffic to over 65 partners. This actor has been active since early 2020, employing sophisticated tactics, including the use of Russian anti-bot services to evade security researchers.
Newly identified actors, Horrid Hawk and Hasty Hawk, are also exploiting the vulnerabilities associated with Sitting Ducks attacks. Horrid Hawk focuses on investment fraud schemes, using hijacked domains to craft convincing advertisements for nonexistent government programs. Their campaigns span multiple languages and target a global audience via social media platforms.
Hasty Hawk, active since March 2022, has hijacked over 200 domains for phishing campaigns, primarily mimicking DHL shipping pages and fake donation sites for Ukraine. This actor employs a dynamic approach, frequently altering the themes of their campaigns and utilising various distribution methods to maximise reach.
Infoblox's findings underscore the urgent need for organisations to heighten their defenses against these evolving threats, as malicious actors continue to refine their tactics in the domain hijacking landscape.