Infoblox Researchers Hijack Malicious Push Notification Network via DNS Misconfiguration Security researchers at Infoblox disrupted a large-scale malicious push notification operation by exploiting a DNS misconfiguration flaw known as "lame nameserver delegation" a technique dubbed "Sitting Ducks." Without directly compromising systems, the team intercepted over 57 million logs in just two weeks, exposing a global scam network targeting victims across 60+ languages with deceptive ads, brand impersonation, and fraudulent content. The operation leveraged abandoned domains misconfigured to use external nameservers lacking proper records allowing researchers to claim them without registration. Within hours, their servers were flooded with unencrypted traffic from victim devices, revealing detailed user metrics, device data, and ad delivery logs. The threat actor’s infrastructure sent duplicate notifications to victims, some of whom received 140+ alerts daily, with subscriptions lasting over a year. Key Findings: - Scale & Impact: The network delivered 52 million ads, yielding only 630 clicks (a 0.0012% click-through rate) and an estimated $350 daily revenue from monitored domains. - Targets: 50% of traffic focused on South Asia, particularly Bangladesh, India, Indonesia, and Pakistan. - Impersonation: Ads mimicked financial institutions like Bradesco, Sparkasse, MasterCard, Touch ‘n Go, and GCash, alongside fake security alerts and adult content. - Technique: The "Sitting Ducks" flaw previously used by groups like Vacant Viper enabled domain hijacking via traffic distribution systems (e.g., 404TDS), turning dormant domains into malware distribution hubs. The research underscores the risks of unmaintained DNS configurations, where abandoned domains become repeat targets for malicious campaigns. Organizations were urged to audit nameserver delegations to prevent similar exploits.