Researchers Gain Access to Hacker-Controlled Domain Server via Name Server Delegation Flaw

Security researchers have discovered a sophisticated affiliate advertising operation that deploys malicious push notifications across over 120 domains through a critical oversight in DNS infrastructure.

By exploiting abandoned domains configured with improper name server delegation, a technique dubbed “Sitting Ducks attacks,” the researchers gained direct visibility into one of the most extensive deceptive advertising campaigns, analyzing 57 million logs spanning 15 days.

The attack vector centered on lame delegation, a DNS configuration vulnerability where a domain points to external name servers that lack actual records for that domain.

When these nameservers fail to resolve queries, the domain effectively becomes unclaimed territory. By simply registering these orphaned domains at the DNS provider level, the researchers claimed complete control. They intercepted all traffic intended for the threat actor’s infrastructure.

Within hours of taking control, the research team’s servers were flooded with requests from victim devices, which were transmitting detailed information, including device models, ISPs, subscription timestamps, and behavioral tracking data.

The scale proved staggering: one domain generated 30 megabytes of logs per second. Expanding their observation to 120 compromised domains revealed a global push-notification monetization network operating primarily in plain text, with minimal encryption or security controls.

The infrastructure demonstrates alarmingly poor operational security. All tracking data, notifications, and logs were transmitted unencrypted, containing only Base64-encoded strings for obfuscation.

Each victim received a subscriber ID (SID) and was tracked for click-through behavior, IP consistency, geographic mismatches, and other fraud-prevention flags. Yet, this metadata remained fully visible in unprotected JSON objects.

The researchers documented over 60 languages in notification content, with Asian regions accounting for 50 percent of all traffic, particularly targeting South Asian countries such as Bangladesh, India, Indonesia, and Pakistan.

The notifications employed sophisticated social engineering, leveraging deception, fear, and financial incentives to drive clicks.

Lures impersonated legitimate financial institutions, such as Bradesco, Sparkasse, MasterCard, and regional payment services. In contrast, others exploited geopolitical events and celebrity scandals.

Victims received an average of 140 notifications per day, totaling 7,600 over the lifetime of their subscription. Strikingly, some users remained subscribed for over a year despite the relentless barrage of scams.

Revenue analysis indicated economic viability concerns. The platform operated on a Cost Per Mile (CPM) and Cost Per Click (CPC) model, generating approximately $350 per day from the monitored domains.

CPC-based ads generated a negligible revenue of $1.80 over 15 days. Ad pricing remained uniformly low, averaging less than 5 cents across targeting sophistication and victim geography.

Remarkably, advertiser-provided fraud prevention features yielded minimal pricing differentials, suggesting either distrust in their efficacy or indifference toward audience quality.

The actual click-through rate proved devastatingly low: the platform’s own estimates ranged from 1-in-175 to 1-in-60,000, with observed rates reaching 1-in-80,000. From 57 million logged impressions, only 630 user clicks materialized.

This suggests the operation prioritized impression inflation and accidental engagement rather than genuine audience targeting, potentially explaining why affiliate advertisers complain of deceptive platform practices.

The ecosystem exhibits distributed responsibility across multiple commercial services. Image hosting, user tracking, notification routing, and payment processing are fragmented across separate providers, many of which cater to gray-market operations.

This segmentation obscures accountability while enabling operation at scale. The platform’s published compliance policies reject overtly deceptive messages. Yet, the researchers observed millions of notifications claiming malware infections, system vulnerabilities, and account compromises, indicating enforcement failures.

The research underscores systemic vulnerabilities in domain infrastructure management. Similar DNS misconfiguration techniques enable ongoing domain hijacking across legitimate organizations daily.

The threat extends beyond scam distribution; other threat actors, including Vacant Viper, utilize identical methods to deploy malware distribution systems and credential-stealing infrastructure.

The Infoblox researchers responsibly disclosed findings to the DNS provider before claiming abandoned domains. Yet, thousands of vulnerable domains remain globally unclaimed and exploitable.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Researchers Gain Access to Hacker-Controlled Domain Server via Name Server Delegation Flaw appeared first on Cyber Security News.