Don’t Let Your Domain Name Become a “Sitting Duck” (2024)

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.

Don’t Let Your Domain Name Become a “Sitting Duck” (1)

Image: Shutterstock.

Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses.

When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain.

But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough information about the domain and can’t resolve queries to find it. A domain can become lame in a variety of ways, such as when it is not assigned an Internet address, or because the name servers in the domain’s authoritative record are misconfigured or missing.

The reason lame domains are problematic is that a number of Web hosting and DNS providers allow users to claim control over a domain without accessing the true owner’s account at their DNS provider or registrar.

If this threat sounds familiar, that’s because it is hardly new. Back in 2019, KrebsOnSecurity wrote about thieves employing this method to seize control over thousands of domains registered at GoDaddy, and using those to send bomb threats and sextortion emails (GoDaddy says they fixed that weakness in their systems not long after that 2019 story).

In the 2019 campaign, the spammers created accounts on GoDaddy and were able to take over vulnerable domains simply by registering a free account at GoDaddy and being assigned the same DNS servers as the hijacked domain.

Three years before that, the same pervasive weakness was described in a blog post by security researcher Matthew Bryant, who showed how one could commandeer at least 120,000 domains via DNS weaknesses at some of the world’s largest hosting providers.

Incredibly, new research jointly released today by security experts at Infoblox and Eclypsium finds this same authentication weakness is still present at a number of large hosting and DNS providers.

“It’s easy to exploit, very hard to detect, and it’s entirely preventable,” said Dave Mitchell, principal threat researcher at Infoblox. “Free services make it easier [to exploit] at scale. And the bulk of these are at a handful of DNS providers.”

SITTING DUCKS

Infoblox’s report found there are multiple cybercriminal groups abusing these stolen domains as a globally dispersed “traffic distribution system,” which can be used to mask the true source or destination of web traffic and to funnel Web users to malicious or phishous websites.

Commandeering domains this way also can allow thieves to impersonate trusted brands and abuse their positive or at least neutral reputation when sending email from those domains, as we saw in 2019 with the GoDaddy attacks.

“Hijacked domains have been used directly in phishing attacks and scams, as well as large spam systems,” reads the Infoblox report, which refers to lame domains as “Sitting Ducks.” “There is evidence that some domains were used for Cobalt Strike and other malware command and control (C2). Other attacks have used hijacked domains in targeted phishing attacks by creating lookalike subdomains. A few actors have stockpiled hijacked domains for an unknown purpose.”

Eclypsium researchers estimate there are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for malicious use since 2019.

“As of the time of writing, numerous DNS providers enable this through weak or nonexistent verification of domain ownership for a given account,” Eclypsium wrote.

The security firms said they found a number of compromised Sitting Duck domains were originally registered by brand protection companies that specialize in defensive domain registrations (reserving look-alike domains for top brands before those names can be grabbed by scammers) and combating trademark infringement.

For example, Infoblox found cybercriminal groups using a Sitting Duck domain called clickermediacorp[.]com, which was a CBS Interactive Inc. domain initially registered in 2009 at GoDaddy. However, in 2010 the DNS was updated to DNSMadeEasy.com servers, and in 2012 the domain was transferred to MarkMonitor.

Another hijacked Sitting Duck domain — anti-phishing[.]org — was registered in 2003 by the Anti-Phishing Working Group (APWG), a cybersecurity not-for-profit organization that closely tracks phishing attacks.

In many cases, the researchers discovered Sitting Duck domains that appear to have been configured to auto-renew at the registrar, but the authoritative DNS or hosting services were not renewed.

The researchers say Sitting Duck domains all possess three attributes that makes them vulnerable to takeover:

1) the domain uses or delegates authoritative DNS services to a different provider than the domain registrar;
2) the authoritative name server(s) for the domain does not have information about the Internet address the domain should point to;
3) the authoritative DNS provider is “exploitable,” i.e. an attacker can claim the domain at the provider and set up DNS records without access to the valid domain owner’s account at the domain registrar.

Don’t Let Your Domain Name Become a “Sitting Duck” (2)

Image: Infoblox.

How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years. The list includes examples for each of the named DNS providers.

In the case of the aforementioned Sitting Duck domain clickermediacorp[.]com, the domain appears to have been hijacked by scammers by claiming it at the web hosting firm DNSMadeEasy, which is owned by Digicert, one of the industry’s largest issuers of digital certificates (SSL/TLS certificates).

In an interview with KrebsOnSecurity, DNSMadeEasy founder and senior vice president Steve Job said the problem isn’t really his company’s to solve, noting that DNS providers who are also not domain registrars have no real way of validating whether a given customer legitimately owns the domain being claimed.

“We do shut down abusive accounts when we find them,” Job said. “But it’s my belief that the onus needs to be on the [domain registrants] themselves. If you’re going to buy something and point it somewhere you have no control over, we can’t prevent that.”

Infoblox, Eclypsium, and the DNS wiki listing at Github all say that web hosting giant Digital Ocean is among the vulnerable hosting firms. In response to questions, Digital Ocean said it was exploring options for mitigating such activity.

“The DigitalOcean DNS service is not authoritative, and we are not a domain registrar,” Digital Ocean wrote in an emailed response. “Where a domain owner has delegated authority to our DNS infrastructure with their registrar, and they have allowed their ownership of that DNS record in our infrastructure to lapse, that becomes a ‘lame delegation’ under this hijack model. We believe the root cause, ultimately, is poor management of domain name configuration by the owner, akin to leaving your keys in your unlocked car, but we acknowledge the opportunity to adjust our non-authoritative DNS service guardrails in an effort to help minimize the impact of a lapse in hygiene at the authoritative DNS level. We’re connected with the research teams to explore additional mitigation options.”

In a statement provided to KrebsOnSecurity, the hosting provider and registrar Hostinger said they were working to implement a solution to prevent lame duck attacks in the “upcoming weeks.”

“We are working on implementing an SOA-based domain verification system,” Hostinger wrote. “Custom nameservers with a Start of Authority (SOA) record will be used to verify whether the domain truly belongs to the customer. We aim to launch this user-friendly solution by the end of August. The final step is to deprecate preview domains, a functionality sometimes used by customers with malicious intents. Preview domains will be deprecated by the end of September. Legitimate users will be able to use randomly generated temporary subdomains instead.”

What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.

[Side note: Infoblox observed that many of the hijacked domains were being hosted at Stark Industries Solutions, a sprawling hosting provider that appeared two weeks before Russia invaded Ukraine and has become the epicenter of countless cyberattacks against enemies of Russia].

Both Infoblox and Eclypsium said that without more cooperation and less finger-pointing by all stakeholders in the global DNS, attacks on sitting duck domains will continue to rise, with domain registrants and regular Internet users caught in the middle.

“Government organizations, regulators, and standards bodies should consider long-term solutions to vulnerabilities in the DNS management attack surface,” the Infoblox report concludes.

Don’t Let Your Domain Name Become a “Sitting Duck” (2024)

FAQs

Is it illegal to sit on domain names? ›

In short, domain squatting is illegal in the USA under the Anticybersquatting Consumer Protection Act (ACPA).

What is a duck domain? ›

DUCK is a proposed domain extension for DuckDuckGo, emphasizing privacy-focused web browsing and services.

Do domain names need to be renewed? ›

Your domain expires after your registration period unless you renew it. To lock in the current price for the duration, unaffected by price changes, purchase years of registration manually. The typical maximum registration period is 10 years. Important: Some domains can only be auto-renewed.

What is the domain name of DuckDuckGo? ›

duckduckgo.com is the primary domain associated with DuckDuckGo.

When did domain squatting become illegal? ›

The United States adopted the U.S. Anticybersquatting Consumer Protection Act in 1999. This expansion of the Lanham (Trademark) Act (15 U.S.C.) is intended to provide protection against cybersquatting for individuals as well as owners of distinctive trademarked names.

What is the DuckDuckGo privacy scandal? ›

Cybersecurity and privacy researcher Zach Edwards discovered a glaring hole in the privacy protections of DuckDuckGo's purportedly privacy-focused browser: By examining the browser's data flows on Facebook-owned website Workplace.com, Edwards found that the site's Microsoft-placed tracking scripts continued to ...

What is duck mentality? ›

Duck syndrome, while not a mental health diagnosis, describes college and graduate students who appear calm, but are having extreme difficulty keeping up with the demands of life.

What happens if I don't renew my domain? ›

As early as one day after expiration, the domain name will be deactivated, and your website will be replaced with a "parked" page indicating the domain name has expired. Other services associated with the domain name, such as email or your website, will no longer function.

Can I keep my domain name forever? ›

According to ICANN rules, you can register a domain for a maximum of 10 years. Anything above that is not possible, instead, you'll have to renew after every 10-year period. You may have heard of Epik, a popular domain registrar that offers what it terms “forever registration”.

Does it cost money to renew a domain name? ›

Yes, owning a domain can incur extra costs like renewal fees, privacy protection services, and premium features. The total amount varies depending on the registrar and domain type.

Why is DuckDuckGo not popular? ›

Lack of personalization – since DuckDuckGo doesn't collect your data, it's not possible to get user-specific results (i.e., the auto-suggest function). Therefore, local listings may also be harder to find; Fewer services – unlike Google, DuckDuckGo only has a search engine.

Why is DuckDuckGo banned in schools? ›

Schools typically forbid the use of DuckDuckGo because students can use it to get around network restrictions and access inappropriate content.

Is DuckDuckGo now owned by Google? ›

DuckDuckGo has been an independent company since its founding in 2008. It is majority-owned by its founder Gabriel Weinberg and team members.

Is domain holding illegal? ›

Domain squatting is considered illegal because it blocks the rightful owner of a trademark or brand from buying the appropriate domain name.

Is domain grabbing legal? ›

Pure Domaingrabbing is illegal. The domain grabbers are mostly concerned with a mere prevention competition. In essence, this ensures (for example, as a competitor) an important domain of the competitor (eg, its name) within a TLD.

Can you get sued for domain name? ›

The Anticybersquatting Consumer Protection Act of 1999 (ACPA) allows a cybersquatting victim to file a federal lawsuit to regain a domain name or sue for financial compensation.

Why do people sit on domains? ›

SITTING DUCKS. Infoblox's report found there are multiple cybercriminal groups abusing these stolen domains as a globally dispersed “traffic distribution system,” which can be used to mask the true source or destination of web traffic and to funnel Web users to malicious or phishous websites.

Top Articles
O'Reilly Automotive, Inc Aktie (A1H5JY) - Kurs Nasdaq - MarketScreener
Wordlessly Implied As An Approval
Creepshotorg
Chris Provost Daughter Addie
Sound Of Freedom Showtimes Near Governor's Crossing Stadium 14
Instructional Resources
Jennifer Hart Facebook
Craigslist Cars And Trucks For Sale By Owner Indianapolis
How To Be A Reseller: Heather Hooks Is Hooked On Pickin’ - Seeking Connection: Life Is Like A Crossword Puzzle
DL1678 (DAL1678) Delta Historial y rastreo de vuelos - FlightAware
BULLETIN OF ANIMAL HEALTH AND PRODUCTION IN AFRICA
Explore Top Free Tattoo Fonts: Style Your Ink Perfectly! 🖌️
Miss America Voy Forum
OpenXR support for IL-2 and DCS for Windows Mixed Reality VR headsets
Discover Westchester's Top Towns — And What Makes Them So Unique
Radio Aleluya Dialogo Pastoral
Accuradio Unblocked
Craigslist Panama City Fl
Bx11
Tamilrockers Movies 2023 Download
Google Flights Missoula
Best Uf Sororities
Missouri Highway Patrol Crash
CDL Rostermania 2023-2024 | News, Rumors & Every Confirmed Roster
Craigslist Personals Jonesboro
Обзор Joxi: Что это такое? Отзывы, аналоги, сайт и инструкции | APS
Avatar: The Way Of Water Showtimes Near Maya Pittsburg Cinemas
4 Times Rihanna Showed Solidarity for Social Movements Around the World
Craigslist List Albuquerque: Your Ultimate Guide to Buying, Selling, and Finding Everything - First Republic Craigslist
Sandals Travel Agent Login
Ullu Coupon Code
Meggen Nut
Imagetrend Elite Delaware
ATM, 3813 N Woodlawn Blvd, Wichita, KS 67220, US - MapQuest
Devotion Showtimes Near The Grand 16 - Pier Park
42 Manufacturing jobs in Grayling
Heavenly Delusion Gif
Oxford Alabama Craigslist
Planet Fitness Santa Clarita Photos
Infinite Campus Farmingdale
“To be able to” and “to be allowed to” – Ersatzformen von “can” | sofatutor.com
Craigslist Odessa Midland Texas
Leland Nc Craigslist
Craigslist Woodward
What Is The Optavia Diet—And How Does It Work?
Quaally.shop
Elven Steel Ore Sun Haven
A rough Sunday for some of the NFL's best teams in 2023 led to the three biggest upsets: Analysis
Advance Auto.parts Near Me
Turok: Dinosaur Hunter
Poster & 1600 Autocollants créatifs | Activité facile et ludique | Poppik Stickers
Honeybee: Classification, Morphology, Types, and Lifecycle
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 5975

Rating: 4.4 / 5 (55 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.