Don’t Let Your Domain Name Become a “Sitting Duck” (2024)

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds.

Don’t Let Your Domain Name Become a “Sitting Duck” (1)

Image: Shutterstock.

Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses.

When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain.

But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough information about the domain and can’t resolve queries to find it. A domain can become lame in a variety of ways, such as when it is not assigned an Internet address, or because the name servers in the domain’s authoritative record are misconfigured or missing.

The reason lame domains are problematic is that a number of Web hosting and DNS providers allow users to claim control over a domain without accessing the true owner’s account at their DNS provider or registrar.

If this threat sounds familiar, that’s because it is hardly new. Back in 2019, KrebsOnSecurity wrote about thieves employing this method to seize control over thousands of domains registered at GoDaddy, and using those to send bomb threats and sextortion emails (GoDaddy says they fixed that weakness in their systems not long after that 2019 story).

In the 2019 campaign, the spammers created accounts on GoDaddy and were able to take over vulnerable domains simply by registering a free account at GoDaddy and being assigned the same DNS servers as the hijacked domain.

Three years before that, the same pervasive weakness was described in a blog post by security researcher Matthew Bryant, who showed how one could commandeer at least 120,000 domains via DNS weaknesses at some of the world’s largest hosting providers.

Incredibly, new research jointly released today by security experts at Infoblox and Eclypsium finds this same authentication weakness is still present at a number of large hosting and DNS providers.

“It’s easy to exploit, very hard to detect, and it’s entirely preventable,” said Dave Mitchell, principal threat researcher at Infoblox. “Free services make it easier [to exploit] at scale. And the bulk of these are at a handful of DNS providers.”

SITTING DUCKS

Infoblox’s report found there are multiple cybercriminal groups abusing these stolen domains as a globally dispersed “traffic distribution system,” which can be used to mask the true source or destination of web traffic and to funnel Web users to malicious or phishous websites.

Commandeering domains this way also can allow thieves to impersonate trusted brands and abuse their positive or at least neutral reputation when sending email from those domains, as we saw in 2019 with the GoDaddy attacks.

“Hijacked domains have been used directly in phishing attacks and scams, as well as large spam systems,” reads the Infoblox report, which refers to lame domains as “Sitting Ducks.” “There is evidence that some domains were used for Cobalt Strike and other malware command and control (C2). Other attacks have used hijacked domains in targeted phishing attacks by creating lookalike subdomains. A few actors have stockpiled hijacked domains for an unknown purpose.”

Eclypsium researchers estimate there are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for malicious use since 2019.

“As of the time of writing, numerous DNS providers enable this through weak or nonexistent verification of domain ownership for a given account,” Eclypsium wrote.

The security firms said they found a number of compromised Sitting Duck domains were originally registered by brand protection companies that specialize in defensive domain registrations (reserving look-alike domains for top brands before those names can be grabbed by scammers) and combating trademark infringement.

For example, Infoblox found cybercriminal groups using a Sitting Duck domain called clickermediacorp[.]com, which was a CBS Interactive Inc. domain initially registered in 2009 at GoDaddy. However, in 2010 the DNS was updated to DNSMadeEasy.com servers, and in 2012 the domain was transferred to MarkMonitor.

Another hijacked Sitting Duck domain — anti-phishing[.]org — was registered in 2003 by the Anti-Phishing Working Group (APWG), a cybersecurity not-for-profit organization that closely tracks phishing attacks.

In many cases, the researchers discovered Sitting Duck domains that appear to have been configured to auto-renew at the registrar, but the authoritative DNS or hosting services were not renewed.

The researchers say Sitting Duck domains all possess three attributes that makes them vulnerable to takeover:

1) the domain uses or delegates authoritative DNS services to a different provider than the domain registrar;
2) the authoritative name server(s) for the domain does not have information about the Internet address the domain should point to;
3) the authoritative DNS provider is “exploitable,” i.e. an attacker can claim the domain at the provider and set up DNS records without access to the valid domain owner’s account at the domain registrar.

Don’t Let Your Domain Name Become a “Sitting Duck” (2)

Image: Infoblox.

How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years. The list includes examples for each of the named DNS providers.

In the case of the aforementioned Sitting Duck domain clickermediacorp[.]com, the domain appears to have been hijacked by scammers by claiming it at the web hosting firm DNSMadeEasy, which is owned by Digicert, one of the industry’s largest issuers of digital certificates (SSL/TLS certificates).

In an interview with KrebsOnSecurity, DNSMadeEasy founder and senior vice president Steve Job said the problem isn’t really his company’s to solve, noting that DNS providers who are also not domain registrars have no real way of validating whether a given customer legitimately owns the domain being claimed.

“We do shut down abusive accounts when we find them,” Job said. “But it’s my belief that the onus needs to be on the [domain registrants] themselves. If you’re going to buy something and point it somewhere you have no control over, we can’t prevent that.”

Infoblox, Eclypsium, and the DNS wiki listing at Github all say that web hosting giant Digital Ocean is among the vulnerable hosting firms. In response to questions, Digital Ocean said it was exploring options for mitigating such activity.

“The DigitalOcean DNS service is not authoritative, and we are not a domain registrar,” Digital Ocean wrote in an emailed response. “Where a domain owner has delegated authority to our DNS infrastructure with their registrar, and they have allowed their ownership of that DNS record in our infrastructure to lapse, that becomes a ‘lame delegation’ under this hijack model. We believe the root cause, ultimately, is poor management of domain name configuration by the owner, akin to leaving your keys in your unlocked car, but we acknowledge the opportunity to adjust our non-authoritative DNS service guardrails in an effort to help minimize the impact of a lapse in hygiene at the authoritative DNS level. We’re connected with the research teams to explore additional mitigation options.”

In a statement provided to KrebsOnSecurity, the hosting provider and registrar Hostinger said they were working to implement a solution to prevent lame duck attacks in the “upcoming weeks.”

“We are working on implementing an SOA-based domain verification system,” Hostinger wrote. “Custom nameservers with a Start of Authority (SOA) record will be used to verify whether the domain truly belongs to the customer. We aim to launch this user-friendly solution by the end of August. The final step is to deprecate preview domains, a functionality sometimes used by customers with malicious intents. Preview domains will be deprecated by the end of September. Legitimate users will be able to use randomly generated temporary subdomains instead.”

What did DNS providers that have struggled with this issue in the past do to address these authentication challenges? The security firms said that to claim a domain name, the best practice providers gave the account holder random name servers that required a change at the registrar before the domains could go live. They also found the best practice providers used various mechanisms to ensure that the newly assigned name server hosts did not match previous name server assignments.

[Side note: Infoblox observed that many of the hijacked domains were being hosted at Stark Industries Solutions, a sprawling hosting provider that appeared two weeks before Russia invaded Ukraine and has become the epicenter of countless cyberattacks against enemies of Russia].

Both Infoblox and Eclypsium said that without more cooperation and less finger-pointing by all stakeholders in the global DNS, attacks on sitting duck domains will continue to rise, with domain registrants and regular Internet users caught in the middle.

“Government organizations, regulators, and standards bodies should consider long-term solutions to vulnerabilities in the DNS management attack surface,” the Infoblox report concludes.

Don’t Let Your Domain Name Become a “Sitting Duck” (2024)

FAQs

Is it illegal to sit on domain names? ›

Cybersquatting (or domain squatting) is the illegal practice of registering, trafficking, or using a domain name to benefit in some way from someone else's reputation.

Can you permanently buy a domain name? ›

The organization that governs domain names is called the Internet Corporation for Assigned Names and Numbers (ICANN) and it has made it impossible for anyone to acquire a domain name forever. When you “buy” a domain name, you don't actually own it.

What is a duck domain? ›

. DUCK is a proposed domain extension for DuckDuckGo, emphasizing privacy-focused web browsing and services.

Why do I have to pay for my domain name every year? ›

Most domains are renewed yearly for the same amount you paid for your website domain name originally. This fee is charged so you can keep usage rights of that domain name. Your domain name seller can tell you the price of your renewal upfront.

How to prove domain squatting? ›

In order to win a UDRP dispute, you will need to prove three things:
  1. The domain is identical or confusingly similar to your trademark.
  2. The opposing party has no legitimate rights to the domain they have registered.
  3. The domain name has been used and registered in bad faith.
Apr 20, 2020

Who legally owns a domain name? ›

Once a person has legally registered for a domain name, and has given all of the relevant personal information to an accredited registrar, that individual owns the rights to that web address. They are in sole possession of that web address and have the right to sell it at any time.

Do I own my domain from GoDaddy? ›

Domain name registration is the process of finding a web address (like GoDaddy.com or LilysBikes.com), and then signing up to use it. You technically don't own the domain, but once you've registered it, it's yours to use for as long as you continue paying the annual registration fee.

How much does a permanent domain name cost? ›

With GoDaddy, you can register domains for as low as ₹ 83.20. You can even snag a free domain name with one of our website hosting plans. It doesn't get any cheaper – or any better – than that. In other words, the price is right.

What is a spider monkey domain? ›

Spider monkey. Black-headed spider monkey (Ateles fusciceps) Scientific classification. Domain: Eukaryota.

How safe is DuckDNS? ›

Malicious behavior

The domain duckdns.org hosts a free service which will point a DNS (sub domains of duckdns.org) to an IP of your choice. Unfortunately this service is often abused by phishers.

What is a rabbit domain? ›

European rabbit (Oryctolagus cuniculus) Scientific classification. Domain: Eukaryota.

What happens if I don't pay for my domain? ›

If a domain is not renewed while it is active, the domain will expire, going into it's expiration phase.

What happens if I don't renew my domain? ›

When your domain name expires and you don't renew it, it's available for purchase by anyone. Including your competitors. This doesn't necessarily mean that they'll build a website on your domain name. Instead, they will redirect to their own website.

Can you own a domain without paying yearly? ›

You cannot buy a domain name permanently. Domain name registration is done on a yearly basis. However, you can pre-pay for up to 10 years, which guarantees that you will have a domain name for 10 years.

Is it illegal to hold a domain name? ›

Domain squatting, or cybersquatting, is where entities register domains under bad faith business practices. Unlike domain flipping, domain squatting is illegal (more on that later).

Is domain holding illegal? ›

Domain squatting is considered illegal because it blocks the rightful owner of a trademark or brand from buying the appropriate domain name.

Is domain grabbing legal? ›

Pure Domaingrabbing is illegal. The domain grabbers are mostly concerned with a mere prevention competition. In essence, this ensures (for example, as a competitor) an important domain of the competitor (eg, its name) within a TLD.

Why do people sit on domains? ›

Cybersquatting (also known as domain squatting) is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent to profit from the goodwill of a trademark belonging to someone else.

References

Top Articles
A-kwaliteit: in Autoteile, Zubehör | markt.de
What Matters Most (Hidden Beauty Series Book 1)
Bannerlord Campaign Or Sandbox
Amerideck Motorcycle Lift Cost
Saccone Joly Gossip
R/Sellingsunset
24 Hour Bookings Savannah
Best Restaurants In Nyack On The Water
The Blind Showtimes Near Merchants Walk Cinemas
organization | QAssurance
Celebrating Kat Dennings' Birthday: A Look Into The Life Of A Unique Talent
Maryse Mizanin Nip Slip
Dmv Leestown Rd
2024 Coachella Predictions
Stronghold Slayer Cave
Craiglist Galveston
Sdn Upstate 2023
Black Boobs Oiled
Cluster Truck Unblocked Wtf
How 'Tuesday' Brings Death to Life With Heart, Humor, and a Giant Bird
Express-Reisepass beantragen - hamburg.de
2022 Jeep Grand Cherokee Lug Nut Torque
Citymd West 146Th Urgent Care - Nyc Photos
Northern Va Bodyrubs
Bureaustoelen & Kantoorstoelen - Kantoormeubelen | Office Centre
Movies123 Avatar 2
Hendrick Collision Center Fayetteville - Cliffdale Reviews
Dumb Money Showtimes Near Maya Cinemas Salinas
Quiktrip 864
Hinterlands Landmarks
Bj 사슴이 분수
Americas Cardroom Promo Code For Existing Users
Terraria Cement Mixer
Natick Mall Directory Map
Chloe Dicarlo
Ece 2300 Osu
Dollar Tree Aktie (DLTR) • US2567461080
GW2 Fractured update patch notes 26th Nov 2013
Barbarian Frenzy Build with the Horde of the Ninety Savages set (Patch 2.7.7 / Season 32)
South Dakota Bhr
Lavender Dreams Nails Walnut Creek Photos
10.4: The Ideal Gas Equation
ExtraCare Rewards at the Pharmacy – Target | CVS
Arcanis Secret Santa
Skip The Games Mil
Thekat103.7
Carros Jeep Wrangler Tachira | MercadoLibre 📦
Craigslist.com Hawaii
Busted Newspaper Zapata Tx
Larry's Country Diner LIVE! - 2024 Tickets - Branson Travel Office
Knock At The Cabin Showtimes Near Alamo Drafthouse Raleigh
Lenscrafters Westchester Mall
Latest Posts
Article information

Author: Saturnina Altenwerth DVM

Last Updated:

Views: 5393

Rating: 4.3 / 5 (44 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Saturnina Altenwerth DVM

Birthday: 1992-08-21

Address: Apt. 237 662 Haag Mills, East Verenaport, MO 57071-5493

Phone: +331850833384

Job: District Real-Estate Architect

Hobby: Skateboarding, Taxidermy, Air sports, Painting, Knife making, Letterboxing, Inline skating

Introduction: My name is Saturnina Altenwerth DVM, I am a witty, perfect, combative, beautiful, determined, fancy, determined person who loves writing and wants to share my knowledge and understanding with you.