Back

October 2, 2024

Over a Million Domains at Risk of Hijacking in 'Sitting Duck' Attacks

In the ever-evolving cybersecurity landscape, amidst a barrage of threats and vigilant businesses, there exists a subtle yet potent vulnerability that often eludes organizations' watchful eyes. Enter the realm of Sitting Duck attacks - a peril underestimated by many, but not by cybercriminals. Reports reveal that in the past six years alone, malevolent actors have successfully seized control of over 35,000 domains using this method.

So, what exactly are Sitting Duck attacks? How do they operate, how do nefarious actors exploit them, and most importantly, how can enterprises shield themselves from such insidious threats? That’s what we’ll discuss in this blog post.

Understanding Sitting Duck Attacks

For expansive and burgeoning enterprises, monitoring every domain asset can pose a significant challenge. Even the most diligent business leaders can find themselves overwhelmed, especially when concentrating on maintaining competitiveness in dynamic industries. Whether multinational corporations or novices, many acquire new domains, link them with a DNS provider, and subsequently forget about them over time. This oversight commonly arises when initiatives lose momentum, brands change direction, change providers, or setup defensive registrations that fade into oblivion.

Unfortunately, these dormant and exposed domain registrations along with unresolved DNS configurations create the perfect "Sitting Ducks" that cybercriminals capitalize on in such attacks. Over time, Sitting Duck vulnerabilities accumulate within numerous contemporary businesses, often going unnoticed until a prominent brand falls victim to an attack. Yet, in the lulls between incidents and when media attention wanes, brands tend to let their guard down. Identifying these vulnerabilities, attackers target unsuspecting brands when they least expect it. 

How Cybercriminals Capitalize on Sitting Duck Vulnerabilities

Cybercriminals exploit Sitting Duck DNS vulnerabilities by seizing abandoned or overlooked domain accounts and associating them with new, nefarious web pages. They scour for dormant domains and DNS records, pinpointing instances where companies have relaxed their defenses. Upon identifying a suitable domain, they can either create new accounts or hijack existing ones without undergoing proper verification processes. 

Figure 1 - Prior to hijacking of Zone

Subsequently, upon gaining control, attackers fabricate counterfeit websites or redirect legitimate URLs to these fraudulent platforms. These deceptive pages often imitate well-known businesses or services, posing a challenge for users to distinguish between authentic and counterfeit sources.

Figure 2 - Zone hijacked

Phishing attacks frequently leverage Sitting Duck vulnerabilities, inflicting substantial harm on unsuspecting victims. For instance, perpetrators might assume control of a domain previously utilized by a reputable retail entity and construct a phishing site resembling the official login page of the store. Unsuspecting users attempting to log in inadvertently disclose their credentials to the attackers. Subsequently, cybercriminals exploit this stolen information to infiltrate their bank accounts, resulting in financial theft and identity fraud. While this scenario focuses on the consumer goods domain, attackers employ comparable strategies across varied sectors such as finance, healthcare, and other online services.

Moreover, cybercriminals leverage Sitting Duck DNS vulnerabilities for more sinister motives. Threat actors have wielded these vulnerabilities to issue bomb threats and engage in sextortion. By redirecting users to menacing or exploitative content, attackers sow panic and distress, exploiting the situation to coerce and manipulate individuals or organizations. Such assaults result in profound distress, harm to reputation, and significant financial losses.

Actions for Authorities and Organizations

After a Sitting Duck attack occurs, the resulting damage is frequently irreversible. Brands may attempt to recoup lost finances or guide consumers back to authentic websites, but rebuilding shattered trust is a challenging task that cannot be swiftly restored.

Preventing a Sitting Duck attack is achievable through addressing deficiencies in the administration and authorization of domain names and DNS records. It is imperative for domain holders, registrars, DNS providers, web hosting services, standards bodies, regulators, and the cybersecurity community to work together in a collaborative effort to prevent these attacks.

To mitigate these risks, it is strongly advised that domain owners take the following actions:

1. Maintain an up-to-date inventory of all DNS zones, irrespective of their operational status, and  ensure that all DNS zones, including inactive ones, are hosted with trusted providers to prevent potential hijacking. Additionally, promptly deregister any DNS zones that are not in use.

2. Check whether your domains and subdomains are delegated to name servers associated with service providers where accounts have lapsed or are invalid. A Sitting Duck attack capitalizes on these defunct accounts to wrest control of a domain from an active and valid account.

3. Communicate with your DNS provider to understand the specific measures in place to counter this type of attack. If your provider has implemented effective countermeasures, the risk of falling victim to a Sitting Duck attack is significantly reduced.

Safeguarding Your Organization

Eliminating the Sitting Duck attack entirely remains a challenge. In response, Nexusguard has established a protocol that integrates software and procedural measures.

Central to this approach is zone authentication. Newly subscribed zones under Nexusguard DNS Protection hosting must successfully undergo zone authentication prior to integration.

In cases of disagreement, Nexusguard's service team will conduct manual verification of zone ownership. Any zones lacking valid ownership will be promptly removed. Subsequently, the rightful owner can seamlessly re-add the zone through the Nexusguard Customer Portal.


Reach out to us today to discover more about our cybersecurity services and how we can safeguard your operations in an increasingly interconnected digital landscape. Click here for additional information on Nexusguard's dependable and flexible anti-DDoS solutions.

Nexusguard provides all-encompassing and unified cybersecurity services, ensuring the uninterrupted functionality of your crucial online assets and infrastructure.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.