Cybercriminals’ Push-Notification Scam Exposed by DNS Misconfiguration A recent investigation by Infoblox uncovered a large-scale push-notification scam targeting Android users, revealing how a simple DNS error exposed the criminal infrastructure behind it. The campaign bombarded victims with fake security alerts, gambling ads, and adult-content lures, generating revenue through clicks while evading detection behind random domains and hidden hosting. The operation unraveled when a misconfigured name server left one of the attacker’s domains in a "lame delegation" state no longer resolving to a valid backend, yet still receiving traffic from infected devices. Infoblox researchers exploited this oversight by legitimately registering the abandoned domain, redirecting traffic to their own servers without altering victim devices or the attacker’s infrastructure. Over several days, the team intercepted tens of millions of records from thousands of infected browsers worldwide. The data revealed aggressive tactics, including brand impersonation and scare-based messaging, with some users receiving over 100 notifications daily for months. The infection process began when users visited compromised or malicious sites, tricked into enabling browser notifications amid deceptive pop-ups, cookie banners, and CAPTCHAs. Once granted, a hidden service worker embedded in the browser maintained persistent access, fetching updated scripts and ad templates from the attacker’s servers even after the original tab was closed. The incident highlights how cybercriminals exploit web standards and poor DNS hygiene to sustain long-term access, while defenders can leverage misconfigurations to monitor and disrupt such operations.