Thousands of web domains hijacked in "sitting ducks" attack


  • "Sitting Ducks" attack allows crooks to take full control of target domain
  • Almost a million websites vulnerable to takeover, experts warn
  • Tens of thousands of websites already compromised this way

“Sitting Ducks” might not be a particularly known method of cyberattacks, but it is still quite widespread, and pretty disruptive, experts have warned.

A report from cybersecurity researchers at Infoblox Threat Intel claims almost a million websites are vulnerable, and roughly 70,000 were already compromised this way.

In a new report, Infoblox notes although the attack vector has been around since 2018, it never garnered much attention from the media, or the cybersecurity community. Still, tens of thousands of victims have had their domain names hijacked since then, including “well-known brands, non-profits, and government entities”. The report hasn’t named any organizations, though.

Vipers, Hawks, and other predators

during a Sitting Ducks attack, the threat actor gains full control of the target domain, by taking over its DNS configurations. This has many implications and carries heavy consequences. When hackers take full control of a domain’s DNS configuration, they can funnel compromised web traffic to malware, phishing sites, or spam networks. They can also deliver infostealers, engage in fraud, or affiliate cybercrime programs.

However, Infoblox started monitoring the internet for Sitting Ducks attacks last summer, to alarming results: “The results are very sobering, as 800,000 vulnerable domains were identified, and about 70,000 of those were later identified as hijacked.”

The researchers claim that there are multiple threat actors currently exploiting Sitting Ducks, including Vacant Viper, the “OG” of the exploit, hijacking an estimated 2,500 domains each year since late 2019.

Another group, called Vextrio Viper, was seen using hijacked domains as part of their “massive TDS infrastructure” since early 2020. Infoblox says Vextrio runs “the largest known cybercriminal affiliate program”.

It also mentioned new threat actors, such as Horrid Hawk, and Hasty Hawk, named as they “swoop in and hijack vulnerable domains”.

You might also like



Post a Comment

0 Comments