Infoblox Researchers Expose Massive Push Notification Scam via DNS Misconfiguration Security researchers at Infoblox uncovered a large-scale malicious push notification operation by exploiting a DNS misconfiguration flaw known as "lame nameserver delegation." Over a two-week period, they intercepted over 57 million logs from abandoned domains, revealing a global scam network targeting victims with deceptive ads, brand impersonation, and fraudulent content. The attack leveraged the "Sitting Ducks" vulnerability, where domains are improperly configured to use external nameservers without proper records. By claiming these abandoned domains at the DNS provider, researchers passively received unencrypted traffic including device details, user metrics, and ad data within an hour of takeover. They expanded their monitoring to 120 misconfigured domains, capturing 30 MB of logs per second. The operation delivered 140+ daily notifications to victims in 60+ languages, with some users subscribed for over a year. Scams included fake alerts impersonating Bradesco, Sparkasse, MasterCard, Touch ‘n Go, and GCash, alongside gambling schemes and adult content. 50% of traffic targeted South Asia, particularly Bangladesh, India, Indonesia, and Pakistan. Despite its scale, the campaign was financially inefficient, with a click-through rate of just 1 in 60,000 generating only $350 daily from 52 million ads. The research underscores the risks of poor DNS hygiene, as abandoned domains with lame delegations can be repeatedly hijacked for malicious use, as seen in past attacks by groups like Vacant Viper. Organizations are urged to audit their DNS configurations to prevent such exploits.