Thousands of web domains have been hijacked
- The ‘Sitting Ducks’ attack allows crooks to take full control of the target domain
- Nearly a million websites vulnerable to takeover, experts warn
- Tens of thousands of websites have already been compromised in this way
‘Sitting ducks’ may not be a particularly well-known method of cyberattack, but it is still widespread and quite disruptive, experts warn.
A report from cybersecurity researchers at Infoblox Threat Intel claims that nearly a million websites are vulnerable, and around 70,000 have already been compromised in this way.
In a new report, Infoblox notes that while the attack vector has been around since 2018, it has never received much attention from the media or the cybersecurity community. Yet the domain names of tens of thousands of victims have since been hijacked, including “well-known brands, nonprofits and government agencies.” However, the report does not mention any organizations.
Vipers, hawks and other predators
during a Sitting Ducks attack, the threat actor gains full control of the target domain by taking over the DNS configurations. This has many implications and serious consequences. When hackers take full control of a domain’s DNS configuration, they can direct infected web traffic to malware, phishing sites, or spam networks. They may also provide info stealers, engage in fraud or cybercrime affiliate programs.
However, Infoblox began monitoring the Internet for Sitting Ducks attacks last summer, with alarming results: “The results are very sobering, as 800,000 vulnerable domains were identified and approximately 70,000 of those were later identified as hijacked.”
The researchers claim that there are currently multiple threat actors exploiting Sitting Ducks, including Vacant Viper, the “OG” of the exploit, which has been hijacking an estimated 2,500 domains annually since late 2019.
Another group, called Vextrio Viper, had been using hijacked domains as part of their “massive TDS infrastructure” since early 2020. Infoblox says Vextrio runs “the largest known cybercriminal affiliate program.”
It also mentioned new threat actors such as Horrid Hawk and Hasty Hawk, cited for “invading and hijacking vulnerable domains.”