Recent research has unveiled a concerning cybersecurity threat, revealing that over one million domain names are at risk of being hijacked by cybercriminals. The threat, referred to as the “sitting duck attack,” exposes the vulnerabilities inherent in the relationship between domain names and hosting providers. This type of attack occurs when a domain name, once linked to a hosting provider, is left vulnerable after the original owner deletes their hosting account without updating the domain’s name servers. As a result, a cybercriminal can easily take control of the domain by associating it with their own account on the same hosting provider.
How the Sitting Duck Attack Works
The sitting duck attack is a deceptively simple yet effective method of domain hijacking. Here’s a step-by-step breakdown of how the attack typically unfolds:
- Domain Registration and Setup: A user registers a domain name for a project and selects a hosting provider such as DigitalOcean to host their website or service. The domain’s DNS (Domain Name System) records are configured to point to the hosting provider’s name servers.
- Abandonment of the Project: The user decides to abandon the project and subsequently deletes their hosting account. However, the domain’s DNS records remain unchanged and continue to point to the now-defunct hosting account.
- Cybercriminal Exploitation: A cybercriminal identifies the abandoned domain and notices that it still points to the hosting provider’s name servers. They then create a new account with the same hosting provider and add the abandoned domain to their account. Since the original account is no longer active, the hosting provider allows the domain to be re-registered under the new account.
- Domain Hijacking: With control over the domain, the cybercriminal can now redirect traffic, create phishing sites, send malicious emails, or perform any number of nefarious activities under the guise of the legitimate domain.
Scope and Impact of the Vulnerability
The sitting duck attack is not limited to a single hosting provider like DigitalOcean; it has been identified across several popular hosting platforms. The vulnerability was first discovered in 2016 and has been exploited in various malicious campaigns over the years. Notably, in 2019, a wave of domain hijackings was linked to sextortion phishing scams and fake bomb threats, where hijacked domains were used to lend credibility to the attackers’ threats.
Despite the clear and present danger posed by this vulnerability, it has received minimal media attention. However, recent research by cybersecurity firms Eclipsium and Infoblox has brought the issue back into the spotlight. Their findings indicate that more than 30,000 domains have been hijacked since 2019, and over one million domains are currently at risk of falling victim to the same fate.
Hosting Providers’ Response and Ongoing Risks
In response to the growing concerns around domain hijacking, some hosting providers have started exploring domain verification options to mitigate the risk. These measures may include requiring proof of domain ownership before allowing it to be added to an account or implementing automated checks to detect when a domain is no longer associated with an active account.
However, the implementation of such safeguards has been slow, and there is ongoing debate among hosting providers regarding where the responsibility lies. Some companies argue that domain owners should be vigilant about updating their DNS records when they no longer control the associated hosting account. Others contend that hosting providers have a duty to ensure that abandoned domains cannot be easily hijacked.
Here is an updated list of DNS providers and wherther their zones are vulnerable to DNS takeover !
