Cybercriminals’ Push-Notification Scam Exposed by DNS Misconfiguration
A recent investigation by Infoblox uncovered a large-scale push-notification scam targeting Android users, revealing how a simple DNS error exposed the criminal infrastructure behind it. The campaign bombarded victims with fake security alerts, gambling ads, and adult-content lures, generating revenue through clicks while evading detection behind random domains and hidden hosting.
The operation unraveled when a misconfigured name server left one of the attacker’s domains in a "lame delegation" state no longer resolving to a valid backend, yet still receiving traffic from infected devices. Infoblox researchers exploited this oversight by legitimately registering the abandoned domain, redirecting traffic to their own servers without altering victim devices or the attacker’s infrastructure.
Over several days, the team intercepted tens of millions of records from thousands of infected browsers worldwide. The data revealed aggressive tactics, including brand impersonation and scare-based messaging, with some users receiving over 100 notifications daily for months.
The infection process began when users visited compromised or malicious sites, tricked into enabling browser notifications amid deceptive pop-ups, cookie banners, and CAPTCHAs. Once granted, a hidden service worker embedded in the browser maintained persistent access, fetching updated scripts and ad templates from the attacker’s servers even after the original tab was closed.
The incident highlights how cybercriminals exploit web standards and poor DNS hygiene to sustain long-term access, while defenders can leverage misconfigurations to monitor and disrupt such operations.
Source: https://cybersecuritynews.com/researchers-gained-access-to-hacker-domain-server/
Infoblox cybersecurity rating report: https://www.rankiteo.com/company/infoblox
"id": "INF1768815998",
"linkid": "infoblox",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Thousands of infected browsers',
'location': 'Worldwide',
'name': 'Android users',
'type': 'End users'}],
'attack_vector': 'Compromised or malicious websites, deceptive pop-ups, '
'cookie banners, CAPTCHAs',
'data_breach': {'number_of_records_exposed': 'Tens of millions',
'sensitivity_of_data': 'Low to medium (no PII or payment data '
'explicitly mentioned)',
'type_of_data_compromised': 'Browser notification data, user '
'interaction records'},
'description': 'A recent investigation by Infoblox uncovered a large-scale '
'push-notification scam targeting Android users, revealing how '
'a simple DNS error exposed the criminal infrastructure behind '
'it. The campaign bombarded victims with fake security alerts, '
'gambling ads, and adult-content lures, generating revenue '
'through clicks while evading detection behind random domains '
'and hidden hosting. The operation unraveled when a '
'misconfigured name server left one of the attacker’s domains '
"in a 'lame delegation' state, allowing Infoblox researchers "
'to intercept traffic by registering the abandoned domain. '
'Over several days, tens of millions of records from thousands '
'of infected browsers worldwide were intercepted, revealing '
'aggressive tactics including brand impersonation and '
'scare-based messaging.',
'impact': {'data_compromised': 'Browser notification data, user interaction '
'records',
'operational_impact': 'Persistent unauthorized access to user '
'browsers',
'systems_affected': 'Infected Android browsers (via service '
'workers)'},
'initial_access_broker': {'backdoors_established': 'Hidden service worker in '
'browsers',
'entry_point': 'Compromised or malicious websites'},
'investigation_status': 'Ongoing (research phase)',
'lessons_learned': 'Cybercriminals exploit web standards and poor DNS hygiene '
'to sustain long-term access. Defenders can leverage '
'misconfigurations to monitor and disrupt such operations.',
'motivation': 'Financial gain through ad clicks',
'post_incident_analysis': {'root_causes': 'DNS misconfiguration, exploitation '
'of browser notification '
'permissions'},
'references': [{'source': 'Infoblox'}],
'response': {'containment_measures': 'Redirecting traffic by registering '
'abandoned domain',
'enhanced_monitoring': 'Intercepting and analyzing traffic from '
'infected devices',
'third_party_assistance': 'Infoblox'},
'threat_actor': 'Cybercriminals',
'title': 'Cybercriminals’ Push-Notification Scam Exposed by DNS '
'Misconfiguration',
'type': 'Push-Notification Scam',
'vulnerability_exploited': 'DNS misconfiguration (lame delegation), browser '
'notification permissions'}