• Cyber Syrup
  • Posts
  • Over 1 Million Domains At Risk Of Highjacking

Over 1 Million Domains At Risk Of Highjacking

Over a million domains are vulnerable to a type of attack known as a Sitting Ducks attack

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI-led Business & startup strategies, tools, & hacks worth a Million Dollars (free AI Masterclass) 🚀

This incredible 3-hour Crash Course on AI & ChatGPT (worth $399) designed for founders & entrepreneurs will help you 10x your business, revenue, team management & more.

It has been taken by 1 Million+ founders & entrepreneurs across the globe, who have been able to:

  • Automate 50% of their workflow & scale your business

  • Make quick & smarter decisions for their company using AI-led data insights

  • Write emails, content & more in seconds using AI

  • Solve complex problems, research 10x faster & save 16 hours every week

Over 1 Million Domains At Risk Of Highjacking

Over a million domains are vulnerable to a type of attack known as a Sitting Ducks attack. This powerful attack vector exploits weaknesses in the domain name system (DNS) to hijack domains stealthily. A joint analysis by Infoblox and Eclypsium has revealed that over a dozen Russian-nexus cybercriminal actors are exploiting this method to take over domains without accessing the true owner's account at the DNS provider or registrar.

What is a Sitting Ducks Attack?

Mechanism of the Attack

In a Sitting Ducks attack, the attacker hijacks a currently registered domain at an authoritative DNS service or web hosting provider. This is achieved without accessing the true owner's account at either the DNS provider or the domain registrar. This method is:

  • Easier to Perform: Compared to other domain hijacking methods.

  • More Likely to Succeed: Due to the nature of the attack vector.

  • Harder to Detect: Making it a significant threat.

How It Works

  1. Incorrect Configuration: The attack exploits incorrect configurations at the domain registrar and the authoritative DNS provider.

  2. Lame Delegation: The nameserver is unable to respond authoritatively for a domain it is listed to serve, creating a vulnerability.

  3. Claiming Ownership: The attacker can claim ownership of the domain at the delegated authoritative DNS provider without having access to the valid owner’s account at the domain registrar.

  4. Domain Expiration: If the authoritative DNS service for a domain expires, the attacker can create an account with the provider and claim ownership of the domain, impersonating the legitimate brand.

Historical Context

The Sitting Ducks attack technique was first documented by The Hacker Blog in 2016, yet it remains largely unknown and unresolved. Since 2018, over 35,000 domains are estimated to have been hijacked using this method.

Dangers of the Sitting Ducks Attack

Once a domain has been taken over, it can be used for various malicious activities, including:

  • Serving Malware: Distributing harmful software to unsuspecting users.

  • Conducting Spam Campaigns: Sending unsolicited emails to a large number of recipients.

  • Abusing Trust: Exploiting the trust associated with the legitimate domain owner to carry out fraudulent activities.

These attacks can severely damage a brand’s reputation, lead to financial losses, and compromise sensitive information.

Who Is at Risk?

Domain Owners

Any organization or individual owning a domain is at risk, particularly if:

  • The domain registrar and authoritative DNS provider configurations are incorrect.

  • The nameserver is subject to lame delegation.

  • The authoritative DNS service for the domain is vulnerable to exploitation.

Users and Customers

End-users who interact with hijacked domains are also at risk. They may:

  • Download malware from trusted-looking sources.

  • Fall victim to phishing scams and other frauds conducted via hijacked domains.

  • Have their personal information stolen or misused.

How to Protect Yourself

Check Domain Configurations

Regularly review and correct configurations at both the domain registrar and the authoritative DNS provider. Ensure that nameservers can respond authoritatively for the domains they are listed to serve.

Use Reliable DNS Providers

Choose DNS providers that have protections against Sitting Ducks attacks. These providers can help prevent unauthorized claims of domain ownership.

Monitor Domain Expirations

Keep track of the expiration dates of your domains and authoritative DNS services. Renew them promptly to avoid lapses that could be exploited by attackers.

Implement Security Measures

  1. DNSSEC: Deploy DNS Security Extensions (DNSSEC) to add an additional layer of security to your domain’s DNS information.

  2. Regular Audits: Conduct regular security audits to identify and fix vulnerabilities in your DNS configurations.

  3. Alert Systems: Set up alert systems to notify you of any unusual activity or configuration changes related to your domains.

Educate Your Team

Ensure that your IT and security teams are aware of the Sitting Ducks attack vector and the importance of maintaining secure DNS configurations. Regular training can help prevent configuration errors that could lead to vulnerabilities.

Conclusion

The Sitting Ducks attack presents a significant threat to domain owners and users alike. By understanding the mechanics of this attack and taking proactive steps to secure your domains, you can protect your online presence from malicious actors. Regular audits, choosing reliable DNS providers, and staying informed about potential vulnerabilities are crucial in mitigating the risks associated with this sophisticated attack vector.