A new research study has revealed that over a million domain names, including those belonging to Fortune 100 companies and brand protection firms, are at risk of being taken over by cybercriminals due to authentication vulnerabilities at major web hosting providers and domain registrars.
The Domain Name System (DNS) functions as a crucial component of the Internet by translating human-readable website names into numeric Internet addresses for Web browsers to access. When a domain is registered, the registrar typically provides two sets of DNS records that the customer must assign to their domain. These records are essential for guiding Web browsers to the hosting provider serving the domain.
However, issues can arise when a domain’s DNS records are considered “lame,” meaning the authoritative name server lacks sufficient information about the domain and cannot resolve queries to locate it. A domain can become lame due to various factors, such as a lack of assigned Internet address or misconfigured/missing name servers in the authoritative record.
The vulnerability of lame domains lies in the ability of certain Web hosting and DNS providers to enable users to take control of a domain without requiring access to the true owner’s account at their DNS provider or registrar. This method has been exploited by cybercriminals in the past to seize control of domains and use them for malicious activities, such as sending bomb threats, sextortion emails, or phishing attacks.
Despite previous reports on this issue dating back to 2019, new research by security experts at Infoblox and Eclypsium has indicated that the same authentication weakness persists at numerous large hosting and DNS providers. This vulnerability allows cybercriminal groups to abuse hijacked domains as a traffic distribution system to conceal the origin or destination of web traffic and lead users to malicious websites.
The researchers have identified over a million Sitting Duck domains, with thousands of them already hijacked for malicious purposes since 2019. These domains, initially registered by brand protection companies and organizations combatting phishing attacks, were found to be vulnerable due to the lack of proper authentication measures.
Several compromised Sitting Duck domains were traced back to reputable registrars but subsequently fell victim to exploitation by cybercriminals who claimed control of them at hosting providers with weak verification processes. This exploitability of DNS providers has been documented on platforms like GitHub, highlighting the flaws in domain management practices.
In response to these findings, hosting providers like Digital Ocean and Hostinger have expressed intentions to address the issue and implement solutions to prevent further attacks on Sitting Duck domains. However, the ongoing vulnerabilities in the global DNS management system suggest a need for greater cooperation among stakeholders to mitigate the risks faced by domain registrants and Internet users.
As cyber threats continue to evolve, the need for long-term solutions to secure the DNS infrastructure becomes increasingly critical. Government agencies, regulators, and standards bodies are urged to collaborate on addressing vulnerabilities in DNS management to safeguard the integrity of the Internet and protect users from malicious exploitation.