Infoblox Researchers Hijack Malicious Push Notification Network via DNS Misconfiguration
Security researchers at Infoblox disrupted a large-scale malicious push notification operation by exploiting a DNS misconfiguration flaw known as "lame nameserver delegation" a technique dubbed "Sitting Ducks." Without directly compromising systems, the team intercepted over 57 million logs in just two weeks, exposing a global scam network targeting victims across 60+ languages with deceptive ads, brand impersonation, and fraudulent content.
The operation leveraged abandoned domains misconfigured to use external nameservers lacking proper records allowing researchers to claim them without registration. Within hours, their servers were flooded with unencrypted traffic from victim devices, revealing detailed user metrics, device data, and ad delivery logs. The threat actor’s infrastructure sent duplicate notifications to victims, some of whom received 140+ alerts daily, with subscriptions lasting over a year.
Key Findings:
- Scale & Impact: The network delivered 52 million ads, yielding only 630 clicks (a 0.0012% click-through rate) and an estimated $350 daily revenue from monitored domains.
- Targets: 50% of traffic focused on South Asia, particularly Bangladesh, India, Indonesia, and Pakistan.
- Impersonation: Ads mimicked financial institutions like Bradesco, Sparkasse, MasterCard, Touch ‘n Go, and GCash, alongside fake security alerts and adult content.
- Technique: The "Sitting Ducks" flaw previously used by groups like Vacant Viper enabled domain hijacking via traffic distribution systems (e.g., 404TDS), turning dormant domains into malware distribution hubs.
The research underscores the risks of unmaintained DNS configurations, where abandoned domains become repeat targets for malicious campaigns. Organizations were urged to audit nameserver delegations to prevent similar exploits.
Source: https://gbhackers.com/hacker-domain/
Mastercard Cybersecurity & Fraud Prevention cybersecurity rating report: https://www.rankiteo.com/company/mastercard-cybersecurity-and-fraudprevention
Banco Bradesco cybersecurity rating report: https://www.rankiteo.com/company/bradesco
"id": "MASBRA1769236185",
"linkid": "mastercard-cybersecurity-and-fraudprevention, bradesco",
"type": "Cyber Attack",
"date": "10/2024",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Millions (57M+ logs '
'intercepted)',
'location': ['South Asia',
'Bangladesh',
'India',
'Indonesia',
'Pakistan'],
'name': 'Victims (individuals)',
'type': 'Individuals'},
{'industry': 'Banking',
'name': 'Bradesco',
'type': 'Financial Institution'},
{'industry': 'Banking',
'name': 'Sparkasse',
'type': 'Financial Institution'},
{'industry': 'Payments',
'name': 'MasterCard',
'type': 'Financial Services'},
{'industry': 'Payments',
'name': 'Touch ‘n Go',
'type': 'Financial Services'},
{'industry': 'Payments',
'name': 'GCash',
'type': 'Financial Services'}],
'attack_vector': 'Lame nameserver delegation (Sitting Ducks)',
'data_breach': {'data_encryption': 'Unencrypted traffic intercepted',
'number_of_records_exposed': '57 million+ logs',
'sensitivity_of_data': 'Low to medium (no PII explicitly '
'mentioned)',
'type_of_data_compromised': 'User metrics, device data, ad '
'delivery logs'},
'description': 'Security researchers at Infoblox disrupted a large-scale '
'malicious push notification operation by exploiting a DNS '
"misconfiguration flaw known as 'lame nameserver delegation' "
"(dubbed 'Sitting Ducks'). The team intercepted over 57 "
'million logs in two weeks, exposing a global scam network '
'targeting victims across 60+ languages with deceptive ads, '
'brand impersonation, and fraudulent content. The operation '
'leveraged abandoned domains misconfigured to use external '
'nameservers lacking proper records, allowing researchers to '
'claim them without registration. The threat actor’s '
'infrastructure sent duplicate notifications to victims, some '
'of whom received 140+ alerts daily, with subscriptions '
'lasting over a year.',
'impact': {'brand_reputation_impact': 'Brand impersonation (Bradesco, '
'Sparkasse, MasterCard, Touch ‘n Go, '
'GCash)',
'conversion_rate_impact': '0.0012% click-through rate (630 clicks '
'from 52 million ads)',
'data_compromised': 'User metrics, device data, ad delivery logs '
'(unencrypted)',
'financial_loss': '$350 daily revenue (estimated from monitored '
'domains)',
'operational_impact': 'Disruption of malicious push notification '
'network by researchers',
'systems_affected': 'Victim devices receiving malicious push '
'notifications'},
'initial_access_broker': {'entry_point': 'Abandoned domains with '
'misconfigured nameservers'},
'investigation_status': 'Disrupted by researchers',
'lessons_learned': 'Risks of unmaintained DNS configurations and abandoned '
'domains becoming targets for malicious campaigns. '
'Organizations should audit nameserver delegations to '
'prevent similar exploits.',
'motivation': 'Financial gain (ad fraud, brand impersonation)',
'post_incident_analysis': {'corrective_actions': 'Domain hijacking by '
'researchers to disrupt '
'malicious activity',
'root_causes': 'DNS misconfiguration (lame '
'nameserver delegation), abandoned '
'domains'},
'recommendations': 'Audit nameserver delegations, monitor for DNS '
'misconfigurations, and secure abandoned domains.',
'references': [{'source': 'Infoblox Research'}],
'response': {'containment_measures': 'Domain hijacking via DNS '
'misconfiguration exploitation',
'remediation_measures': 'Disruption of malicious push '
'notification network',
'third_party_assistance': 'Infoblox researchers'},
'title': 'Infoblox Researchers Hijack Malicious Push Notification Network via '
'DNS Misconfiguration',
'type': 'DNS Misconfiguration Exploitation',
'vulnerability_exploited': 'DNS misconfiguration (abandoned domains with '
'improper nameserver delegation)'}