Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing attacks.  The redirected site could closely mimic the original owners’ business or simply be a scam taking advantage of the relatively trustworthy url.  In a documented attack the stolen url was used to host details for investment in a bogus Baltic oil pipeline targeted at Polish investors.

This is a better vector than the use of ‘look-alike’ (typosquat) attacks because they originate from a genuine trusted url and will not be picked up by filters looking for fake or short lived domain names.  The trick works because networks and routers do not rely on friendly domain names but on the IP addresses behind them.  A common and legitimate example of this in action would be a development website that is only viewed through changes to the localhost files on local machines but with the same url a different live site is seen on the Internet.  A single url then points to differing websites depending on which machine is accessing it.

In the sitting duck attack it is the public nameserver-webpage link that is changed so an existing domain points to another IP; in the same way as a genuine owner moving a site to a new address provider.  The sitting duck criminal has done exactly that by pretending to be the legitimate owner.  If they take care to match the contents hosted and the genuine owner does not regularly update that site then it would be hard for a casual user to notice the compromise.  In addition creating and using apparently genuine emails for an otherwise dormant domain would be a relatively simple task.

A 2024 report by Infoblox identified nearly 800,000 vulnerable registered domains; roughly nine percent, 700,000, of those vulnerable domains were subsequently hijacked.  A common example was of dormant domains that corporations had acquired through takeovers and mergers which were still live but no longer maintained.  Although domain names will expire many are set to auto renew to avoid loss of control so could remain paid up and under original ownership but without any supervision by that owner.  The criminal will have to impersonate that owner to change the linked IP name server addresses but if any linked administrative accounts are not monitored it would be possible for a hacker to ‘recover’ access.

The site owner has ultimate responsibility for making sure that the configurations are correct.  In some of the attacks investigated the owners no longer knew that they possessed them.  Control is also in the hands of the DNS providers as it is they that control IP address and nameserver management.  A domain name owner would need to change DNS settings in real-world cases such as moving an existing site to a new provider.  There will be controls on who is allowed to create or change DNS records but some governing bodies are more robust than others.  For example the service provider Tsohost has an optional domain locking  service to protect domain hijacking.  The ability to lock or transfer domains also varies with each top level or country specific domain extension.  Many are issued with an initial time limited transfer ban.  They cannot be transferred within a set time period of their issue.  Some domain name extensions have additional constraints on their transfer.  For example ‘.uk’ domains are associated with an IPS Tag (Internet Provider Security).  In this case the information is publicly available from a WHOIS lookup and would not provide a barrier to changing DNS records if the hosting account were compromised. Any limitations are of little use in trying to stop the transfer of older and probably poorly supervised domain names.

More from Security

06/01/2025

Scam Promotions on Facebook

Web adverts promoting questionable offers and schemes are old hat.  Facebook is no exception but unlike wholly dubious hosts or otherwise reliable sites depending …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories