Researchers have uncovered a large-scale cyberattack technique known as Sitting Ducks, which has been used by multiple threat actors to hijack legitimate domains for phishing schemes and fraudulent activities over several years.
Recent investigations revealed that nearly 70,000 domains have been compromised out of 800,000 identified as vulnerable in the past three months. This attack method, first documented in 2016 but gaining attention only recently, exploits misconfigurations in domain name system (DNS) settings.
In such cases, a domain delegates DNS services to an external provider but fails to secure the configuration, allowing attackers to “claim” the domain and manipulate its DNS records without accessing the legitimate owner’s account.
The attack’s simplicity and stealth make it particularly dangerous. Hijacked domains, often linked to reputable brands, non-profits, or government entities, carry a positive reputation, making them less likely to trigger security alerts. Victim organizations include law firms, online retailers, and service providers across various sectors.
A key feature of the Sitting Ducks technique is rotational hijacking, where a single domain is repeatedly compromised by different actors over time.
Attackers often use free DNS services to temporarily control the domain, utilizing it for 30 to 60 days before losing access, allowing another actor to claim it. This cycle of abuse is further compounded by the difficulty of detection.
The malicious use of hijacked domains varies widely. Some actors deploy them for phishing campaigns and credential theft, while others use them as command-and-control (C2) servers for malware operations.
Certain groups exploit them for fraudulent activities, such as fake pharmaceutical sales, gambling schemes, or spam campaigns. Even more concerning is the hijacking of high-reputation domains for extended periods, creating opportunities for attackers to execute long-term fraud, data theft, and malware distribution without raising alarms.
The scale and persistence of these attacks demonstrate a significant threat to businesses, governments, and individuals alike. Hijacked domains are often overlooked by traditional security measures due to their seemingly legitimate nature, making them an attractive tool for cybercriminals.
To mitigate the risks, organizations must prioritize DNS security by regularly auditing domain configurations, using secure providers, and implementing monitoring systems to detect unauthorized changes. Raising awareness about these risks within organizations and among DNS service providers is equally critical to curbing this growing threat.