Who Knew? Domain Hijacking Is So Easy

Researchers at Infoblox and Eclypsium describe the "Sitting Ducks" attack: a DNS hijacking technique that abuses lame name server delegations and exploitable authoritative DNS or hosting providers to claim and operate legitimately registered domains without accessing the domain owner’s registrar account. The report documents active abuse by multiple Russian-nexus cybercriminal actors and TDS operators (35k+ hijacked domains observed since 2018, with over a million exploitable domains estimated), outlines observed malicious uses (phishing, malware delivery, C2, spam, scams), and provides actionable mitigation guidance for domain owners, registrars, DNS providers, and regulators.