- “Sitting Ducks” Attack Allows Criminals to Take Full Control of Target Domain
- Nearly a million websites are vulnerable to takeover, experts warn
- Tens of thousands of websites are already compromised in this way
Experts have warned that “sitting ducks” may not be a particularly well-known method of cyberattacks, but they are still quite widespread and quite disruptive.
A report from cybersecurity researchers at Infoblox Threat Intel states that nearly one million websites are vulnerable and approximately 70,000 were already compromised in this way.
In a new report, Infoblox notes that although the attack vector has been around since 2018, it never attracted much attention from the media or the cybersecurity community. Still, the domain names of tens of thousands of victims have since been hijacked, including “well-known brands, nonprofit organizations, and government entities.” However, the report does not name any organizations.
Adders, hawks and other predators
During a sitting ducks attack, the threat actor gains full control of the target domain by taking over its DNS configurations. This has many implications and carries serious consequences. When hackers take full control of a domain's DNS settings, they can funnel compromised web traffic to malware, phishing sites, or spam networks. They can also deliver information thieves, participate in fraud or join cybercrime programs.
However, Infoblox began monitoring the Internet for sitting duck attacks last summer, with alarming results: “The results are very sobering, as 800,000 vulnerable domains were identified, and around 70,000 of them were subsequently identified as hijacked.” .
Researchers say there are currently multiple threat actors exploiting Sitting Ducks, including Vacant Viper, the “OG” of the exploit, hijacking approximately 2,500 domains each year since late 2019.
Another group, called Vextrio Viper, was seen using hijacked domains as part of its “massive TDS infrastructure” since early 2020. Infoblox says Vextrio runs “the largest known cybercriminal affiliate program.”
He also mentioned new threat actors, such as Horrid Hawk and Hasty Hawk, named because they “swoop in and hijack vulnerable domains.”