Sitting Ducks and Scammy Notifications: Inside a Global Malvertising Operation
Ddos 
How push notifications work | Image: Infoblox
Researchers at Infoblox have peeled back the curtain on a massive, deceptive push notification network, revealing how poor DNS hygiene and “Sitting Ducks” vulnerabilities are fueling a global ecosystem of scam advertising. In a new report, the team details how they hijacked the hijacker—taking control of abandoned domains to eavesdrop on millions of malicious notifications.
The investigation began with a vulnerability known as a “Sitting Ducks” attack, where threat actors claim ownership of domains that have been abandoned by their owners but still have active DNS delegations. Infoblox researchers discovered that a major push notification actor had left numerous domains vulnerable to this exact flaw.
“We used a DNS technique to take control of a domain abandoned by the threat actor by simply claiming it at the DNS provider… This wasn’t an adversary in the middle (AiTM) operation; we had a seat ‘on the side’ of the threat actor’s operations.”
By registering these neglected domains, the researchers were able to passively receive a flood of traffic from victim devices that were still trying to connect to the actor’s infrastructure. “Within a day, we’d increased our collection from one domain to nearly 120,” the report states. “Thousands of victim devices were connecting to our server and creating 30MB per second of logs.”
The data collected over a two-week period—comprising over 57 million logs—painted a picture of a sprawling, automated operation designed to bombard users with deceptive lures. Victims, primarily Android Chrome users, were subjected to an average of 140 notifications per day.
The campaigns were global, with messages in over 60 languages, but the targeting was heavily skewed toward South Asia. “Bangladesh, India, Indonesia, and Pakistan represented 50% of all the traffic,” according to the analysis.
The content of these notifications was aggressively deceptive, leveraging fear, greed, and “clickbait” to trick users.
“The notifications thematically use deception, fear, and hope to entice users to click on the link. They include impersonation of legitimate financial services like Bradesco, Sparkasse, Recibiste, MasterCard, Touch ‘n Go, and GCash.”
Other lures were more predatory, including fake virus alerts (“Your device has been hacked”), fabricated news scandals involving public figures like Elon Musk, and links to adult content scam sites.
Despite the sheer volume of spam, the operation’s profitability appeared surprisingly low. The researchers estimated the actor was earning only about $350 per day from the observed traffic.
The click-through rates (CTR) were abysmal, with an average of just 1 in 60,000. “The goal isn’t to target ads to the people who will be the more likely to engage with them; the goal is to try to trick people… and make it look like traffic on the advertiser’s website is increasing,” the report suggests.
While the research highlights the shady world of affiliate scam advertising, it also serves as a stark warning about infrastructure management. The “Sitting Ducks” vulnerability remains a potent tool for attackers, allowing them to hijack legitimate reputation for malicious ends.
“While we ‘rescued’ the malicious domains, other bad actors are using the same technique to grab dormant domains from legitimate organizations every day.”
The researchers emphasized that this isn’t just a problem for scammers; legitimate organizations are equally at risk if they fail to clean up their DNS records. “Technically, DNS hygiene is the responsibility of the domain owner,” the report concludes. “It’s more like someone dropped their toy on the sidewalk, and someone else picked it up. Whose fault is that?”
Related Posts:
- DNS Predators Exploit “Sitting Ducks” Attack to Hijack Domains and Expand Cyber Operation
- Domain Takeover: 35,000+ Victims of Sitting Ducks Attack
- End of an Era: Apple Has Reportedly Cancelled the Mac Pro Lineup
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
