Cybersecurity researchers have exposed a large-scale domain hijacking campaign known as the “Sitting Ducks” attack, which has compromised approximately 70,000 legitimate domains over the past three months. The attack exploits misconfigurations in the domain name system (DNS) to gain unauthorized control of domains, a tactic that has been actively used by cybercriminals since 2018. Infoblox, the cybersecurity firm behind the discovery, revealed that over 800,000 domains were found vulnerable, with attackers targeting a diverse range of victims, including renowned brands, non-profits, and government entities.
The Sitting Ducks technique involves taking advantage of DNS configurations where authoritative DNS services are delegated to external providers but remain improperly configured. Threat actors can then “claim” these domains without needing direct access to the registrar accounts. This stealthy method was first documented in 2016 but gained significant attention in 2024 after researchers highlighted the staggering scale of hijacked domains. Rotational hijacking is a common tactic in these attacks, with cybercriminals exploiting free DNS services to control domains for short periods before they rotate control to other threat actors.
Infoblox identified several prominent threat groups leveraging this attack vector for various malicious activities. For instance, Vacant Viper has used Sitting Ducks attacks to operate traffic direction systems (TDS) and distribute malware like DarkGate and AsyncRAT. Similarly, Horrid Hawk has employed hijacked domains for investment fraud schemes via short-lived social media campaigns, while Hasty Hawk has focused on phishing operations mimicking reputable organizations. In many cases, attackers also utilize these domains for spam and malware command-and-control (C2) infrastructure, further complicating detection and mitigation efforts.
The high reputation of hijacked domains makes them less likely to trigger security alerts, posing a significant threat to businesses and individuals alike. Experts warn that without robust DNS security measures, domains remain vulnerable to such exploits, exposing users to phishing, malware, and fraud risks. Infoblox urges organizations to routinely audit their DNS configurations and ensure proper delegation to mitigate the threat. As cybercriminals continue to refine their tactics, awareness and proactive defense are crucial to safeguarding digital assets.
