Infoblox Researchers Expose Massive Push Notification Scam via DNS Misconfiguration
Security researchers at Infoblox uncovered a large-scale malicious push notification operation by exploiting a DNS misconfiguration flaw known as "lame nameserver delegation." Over a two-week period, they intercepted over 57 million logs from abandoned domains, revealing a global scam network targeting victims with deceptive ads, brand impersonation, and fraudulent content.
The attack leveraged the "Sitting Ducks" vulnerability, where domains are improperly configured to use external nameservers without proper records. By claiming these abandoned domains at the DNS provider, researchers passively received unencrypted traffic including device details, user metrics, and ad data within an hour of takeover. They expanded their monitoring to 120 misconfigured domains, capturing 30 MB of logs per second.
The operation delivered 140+ daily notifications to victims in 60+ languages, with some users subscribed for over a year. Scams included fake alerts impersonating Bradesco, Sparkasse, MasterCard, Touch ‘n Go, and GCash, alongside gambling schemes and adult content. 50% of traffic targeted South Asia, particularly Bangladesh, India, Indonesia, and Pakistan.
Despite its scale, the campaign was financially inefficient, with a click-through rate of just 1 in 60,000 generating only $350 daily from 52 million ads. The research underscores the risks of poor DNS hygiene, as abandoned domains with lame delegations can be repeatedly hijacked for malicious use, as seen in past attacks by groups like Vacant Viper. Organizations are urged to audit their DNS configurations to prevent such exploits.
Source: https://gbhackers.com/hacker-domain/
Infotouch Technologies cybersecurity rating report: https://www.rankiteo.com/company/infotouch-technologies
"id": "INF1768808912",
"linkid": "infotouch-technologies",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Banking',
'name': 'Bradesco',
'type': 'Financial Institution'},
{'industry': 'Banking',
'name': 'Sparkasse',
'type': 'Financial Institution'},
{'industry': 'Payments',
'name': 'MasterCard',
'type': 'Financial Services'},
{'industry': 'Payments',
'name': 'Touch ‘n Go',
'type': 'Financial Services'},
{'industry': 'Payments',
'name': 'GCash',
'type': 'Financial Services'}],
'attack_vector': 'DNS Misconfiguration (Lame Nameserver Delegation / Sitting '
'Ducks Vulnerability)',
'data_breach': {'data_encryption': 'Unencrypted traffic intercepted',
'number_of_records_exposed': '57 million logs intercepted',
'sensitivity_of_data': 'Low to moderate (non-PII, but '
'includes user metrics)',
'type_of_data_compromised': 'Device details, user metrics, ad '
'data'},
'description': 'Security researchers at Infoblox uncovered a large-scale '
'malicious push notification operation by exploiting a DNS '
"misconfiguration flaw known as 'lame nameserver delegation.' "
'Over a two-week period, they intercepted over 57 million logs '
'from abandoned domains, revealing a global scam network '
'targeting victims with deceptive ads, brand impersonation, '
'and fraudulent content.',
'impact': {'brand_reputation_impact': 'Brand impersonation (Bradesco, '
'Sparkasse, MasterCard, Touch ‘n Go, '
'GCash)',
'conversion_rate_impact': '1 in 60,000 click-through rate',
'data_compromised': 'Device details, user metrics, ad data',
'financial_loss': '$350 daily (estimated)',
'systems_affected': 'Abandoned domains with misconfigured DNS'},
'initial_access_broker': {'entry_point': 'Abandoned domains with '
'misconfigured DNS',
'reconnaissance_period': 'Two-week monitoring '
'period'},
'investigation_status': 'Ongoing (research phase)',
'lessons_learned': 'Risks of poor DNS hygiene and abandoned domains with lame '
'delegations can be repeatedly hijacked for malicious use.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'DNS configuration audits, '
'monitoring of abandoned '
'domains',
'root_causes': 'DNS misconfiguration (lame '
'nameserver delegation / Sitting '
'Ducks vulnerability)'},
'recommendations': 'Organizations are urged to audit their DNS configurations '
'to prevent such exploits.',
'references': [{'source': 'Infoblox Research'}],
'response': {'containment_measures': 'Domain takeover monitoring',
'enhanced_monitoring': 'Expanded monitoring to 120 misconfigured '
'domains',
'remediation_measures': 'DNS configuration audits recommended',
'third_party_assistance': 'Infoblox Researchers'},
'title': 'Infoblox Researchers Expose Massive Push Notification Scam via DNS '
'Misconfiguration',
'type': 'Scam / Fraudulent Push Notifications',
'vulnerability_exploited': 'Sitting Ducks (DNS misconfiguration)'}