Thousands of web domains hijacked in "sitting ducks" attack

A relatively unknown attack method is leaving thousands of websites compromised

· TechRadar

News By Sead Fadilpašić published 15 November 2024

(Image credit: Shutterstock) (Image credit: Shutterstock)

  • "Sitting Ducks" attack allows crooks to take full control of target domain
  • Almost a million websites vulnerable to takeover, experts warn
  • Tens of thousands of websites already compromised this way

“Sitting Ducks” might not be a particularly known method of cyberattacks, but it is still quite widespread, and pretty disruptive, experts have warned.

A report from cybersecurity researchers at Infoblox Threat Intel claims almost a million websites are vulnerable, and roughly 70,000 were already compromised this way.

In a new report, Infoblox notes although the attack vector has been around since 2018, it never garnered much attention from the media, or the cybersecurity community. Still, tens of thousands of victims have had their domain names hijacked since then, including “well-known brands, non-profits, and government entities”. The report hasn’t named any organizations, though.

Vipers, Hawks, and other predators

during a Sitting Ducks attack, the threat actor gains full control of the target domain, by taking over its DNS configurations. This has many implications and carries heavy consequences. When hackers take full control of a domain’s DNS configuration, they can funnel compromised web traffic to malware, phishing sites, or spam networks. They can also deliver infostealers, engage in fraud, or affiliate cybercrime programs.

However, Infoblox started monitoring the internet for Sitting Ducks attacks last summer, to alarming results: “The results are very sobering, as 800,000 vulnerable domains were identified, and about 70,000 of those were later identified as hijacked.”

The researchers claim that there are multiple threat actors currently exploiting Sitting Ducks, including Vacant Viper, the “OG” of the exploit, hijacking an estimated 2,500 domains each year since late 2019.

Another group, called Vextrio Viper, was seen using hijacked domains as part of their “massive TDS infrastructure” since early 2020. Infoblox says Vextrio runs “the largest known cybercriminal affiliate program”.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors