Infoblox Researchers Hijack Malicious Push Notification Network via DNS Misconfiguration Security researchers at Infoblox disrupted a large-scale malicious push notification operation by exploiting a DNS misconfiguration flaw known as "lame nameserver delegation" a technique dubbed "Sitting Ducks." Without directly compromising systems, the team intercepted over 57 million logs in just two weeks, exposing a global scam network targeting victims across 60+ languages with deceptive ads, brand impersonation, and fraudulent content. The operation leveraged abandoned domains misconfigured to use external nameservers lacking proper records allowing researchers to claim them without registration. Within hours, their servers were flooded with unencrypted traffic from victim devices, revealing detailed user metrics, device data, and ad delivery logs. The threat actor’s infrastructure sent duplicate notifications to victims, some of whom received 140+ alerts daily, with subscriptions lasting over a year. Key Findings: - Scale & Impact: The network delivered 52 million ads, yielding only 630 clicks (a 0.0012% click-through rate) and an estimated $350 daily revenue from monitored domains. - Targets: 50% of traffic focused on South Asia, particularly Bangladesh, India, Indonesia, and Pakistan. - Impersonation: Ads mimicked financial institutions like Bradesco, Sparkasse, MasterCard, Touch ‘n Go, and GCash, alongside fake security alerts and adult content. - Technique: The "Sitting Ducks" flaw previously used by groups like Vacant Viper enabled domain hijacking via traffic distribution systems (e.g., 404TDS), turning dormant domains into malware distribution hubs. The research underscores the risks of unmaintained DNS configurations, where abandoned domains become repeat targets for malicious campaigns. Organizations were urged to audit nameserver delegations to prevent similar exploits.

The Vermont Office of the Attorney General disclosed a data breach affecting Bradesco Securities, Inc. on July 28, 2023, after detecting unauthorized access to its systems on July 11, 2023. The incident involved the compromise of sensitive employee information, specifically Social Security numbers (SSNs) and state identification numbers. While the exact number of impacted individuals remains undisclosed, the breach poses significant risks, including potential identity theft, financial fraud, or targeted phishing attacks against employees. The exposure of such highly sensitive data underscores vulnerabilities in the company’s cybersecurity defenses, particularly in safeguarding personally identifiable information (PII). Given the nature of the stolen data, affected employees may face long-term repercussions, including credit score damage, unauthorized account openings, or misuse of their identities for illicit activities. The breach also raises concerns about internal security protocols, as the unauthorized access went undetected for an unspecified period before discovery.