Hijacking domains using a โSitting Ducks attackโ remain an under-recognised topic in the cybersecurity community. Few threat researchers are familiar with this attack vector and knowledge is scarce. However, the prevalence of these attacks and the risk to organisations are significant.
Following its initial publication on Sitting Ducks, Infoblox Threat Intel delved deeper into this topic. The result is a new, eye-opening report estimating that over one million registered domains could be vulnerable daily. The report also explores the widespread use of the attack and how multiple actors leverage it to strengthen their malicious campaigns.
More evidence found on Sitting Ducks Attacks
During a Sitting Ducks attack, the malicious actor gains full control of the domain by taking over its DNS configurations. Cybercriminals have used this vector since 2018 to hijack tens of thousands of domain names. Victim domains include well-known brands, non-profits, and government entities. Infoblox Threat Intel crafted a monitoring initiative after the initial paper on Sitting Ducks attacks was published in July 2024. The results are very sobering, as 800,000 vulnerable domains were identified, and about 70,000 of those were later identified as hijacked.
The Vipers and Hawks Feasting on Sitting Ducks Attacks
Vacant Viper
Vacant Viper is one of the earliest known threat actors to exploit โSitting Ducksโ and has hijacked an estimated 2,500 domains each year since December 2019. This actor uses hijacked domains to augment its malicious traffic distribution system (TDS) called 404TDS with the intention to run malicious spam operations, deliver porn, establish remote access trojan (RAT) C2s, and drop malware such as DarkGate and AsyncRAT. Vacant Viper does not hijack domains for a specific brand connection but instead for a set of domain resources that have high reputations and will not be blocked by security vendors. The newly published report lists examples of attack chains showing redirection techniques used both by the 404TDS and its affiliates, including how Vacant Viper uses hijacked domains in the 404TDS.
Vextrio Viper
This actor has used hijacked domains as part of its massive TDS infrastructure since early 2020. Vextrio runs the largest known cybercriminal affiliate program, routing compromised web traffic to over 65 affiliate partners, some of whom have also stolen domains via Sitting Duckโ for their own malicious activities. Many of these affiliates use a Russian antibot service as a method to filter out bots and security researchers. The functionality of antibot includes the ability to set rules to block certain bot services or users based on their IP geolocation, user-agent, etc.
New Actors – Horrid Hawk and Hasty Hawk
The animal designation of Hawks was given because the threat actors swoop in and hijack vulnerable domains, much like hawks dive down to snatch their prey. Infoblox has named several new actors thriving on hijacked domains.
- Horrid Hawk: A DNS threat actor that has been hijacking domains and using them for investment fraud schemes since at least February 2023. This actor is interesting because it uses hijacked domains in every step of its campaigns, crafting convincing lures containing non-existent government investment programs or summits. It embeds the hijacked domains in short-lived Facebook ads targeting users in over 30 languages spanning multiple continents.
- Hasty Hawk: Another threat actor discovered during Infobloxโs research into โSitting Ducksโ hijackings. Since at least March 2022, Hasty Hawk has hijacked over 200 domains to operate widespread phishing campaigns that primarily spoof DHL shipping pages and fake donation sites to support Ukraine. The actor exploits many providers, often reconfiguring hijacked domains to host content on Russian IPs. Hasty Hawk uses Google Ads and other means, such as spam messages, to distribute malicious content. It also uses a TDS to route users to different webpages that vary in content and language depending on their geolocation and other user characteristics. Hasty Hawk switches some of its domains back and forth between various campaign themes.
The full report can be found here. More information on the Sitting Duck vulnerability can be found here.
