In November 2024, cybersecurity researchers at Infoblox uncovered one of the largest domain hijacking campaigns in recent history. The attack, dubbed “Sitting Ducks,” resulted in the compromise of approximately 70,000 legitimate domains belonging to well-known brands, non-profits, and government entities. This massive breach serves as a stark reminder that domain hijacking prevention must be a cornerstone of every organization’s cybersecurity strategy.
The scale and sophistication of the Sitting Ducks campaign show a critical vulnerability that has been exploiting organizations since 2018, yet remains largely unknown to many domain owners. Understanding how this attack succeeded—and more importantly, how it could have been prevented—is essential for protecting your digital assets in an increasingly hostile cyber landscape.
The Sitting Ducks Attack: A Wake-Up Call for Domain Security
The Sitting Ducks attack represents a particularly insidious form of domain hijacking that exploits misconfigurations in DNS settings. Unlike traditional domain hijacking methods that require compromising registrar accounts or stealing credentials, Sitting Ducks attacks take advantage of lame DNS delegations—situations where a domain’s DNS points to authoritative name servers that the domain owner doesn’t actually control.
According to Infoblox’s research, cybercriminals identified nearly 800,000 vulnerable registered domains over a three-month period, successfully hijacking approximately 9% of them. The victims included an entertainment company, IPTV service providers, law firms, medical suppliers, and retail businesses across multiple countries.
What makes this attack particularly dangerous is its stealth factor. Dr. Renee Burton, Vice President of Threat Intelligence at Infoblox, explained that “it is hard to detect because if the domain has been hijacked, then it is not lame. Without any other sign, like a phishing page or a piece of malware, the only signal is a change of IP addresses.”
The hijacked domains were used for various malicious purposes, including phishing campaigns mimicking DHL shipping pages, investment fraud schemes distributed through Facebook ads, and command-and-control infrastructure for malware operations. Some threat actors, such as Vacant Viper and Horrid Hawk, have been exploiting this technique for years, rotating through hijacked domains every 30 to 60 days to avoid detection.
Understanding Domain Hijacking: Beyond Sitting Ducks
While the Sitting Ducks campaign represents a specific attack vector, domain hijacking encompasses various methods that cybercriminals use to gain unauthorized control over domain names. Domain hijacking occurs when attackers gain control of a domain name without the owner’s permission, typically by compromising registrar accounts, exploiting DNS misconfigurations, or taking advantage of expired domains.
Traditional domain hijacking methods include social engineering attacks against registrar support staff, credential stuffing attacks using leaked passwords, and exploiting weak authentication mechanisms. However, the Sitting Ducks technique demonstrates how attackers are evolving their methods to exploit infrastructure-level vulnerabilities that many organizations don’t even realize exist.
The consequences of successful domain hijacking extend far beyond temporary website downtime. Attackers can redirect email traffic to capture sensitive communications, host phishing sites that damage brand reputation, distribute malware to unsuspecting visitors, and even sell access to the hijacked domain to other cybercriminals.
Essential Domain Hijacking Prevention Strategies
Protecting your domains from hijacking requires a multi-layered approach that addresses both technical vulnerabilities and operational security practices. The following strategies form the foundation of effective domain hijacking prevention:
1. Choose a Security-Focused Registrar
Your domain registrar serves as the first line of defense against hijacking attempts. Not all registrars offer the same level of security, and choosing the wrong provider can leave your domains vulnerable to attack. Look for registrars that provide robust security features including multi-factor authentication, registry locks, comprehensive monitoring, and experienced security teams.
Avoid registrars that prioritize low prices over security features, as the cost of recovering from a domain hijacking incident far exceeds any savings from budget providers. Premium registrars with strong security track records may cost more upfront but provide essential protections that can prevent devastating attacks.
2. Implement Registry Locks
Registry locks represent one of the most effective technical controls for preventing unauthorized domain transfers and DNS changes. When enabled, registry locks prevent any modifications to critical domain settings without multi-step verification processes that often include verbal confirmation through pre-authorized contacts.
While registry locks provide excellent security, they do require advance planning for legitimate changes. Organizations must balance security with operational flexibility, ensuring they can still make necessary DNS updates while maintaining protection against unauthorized modifications.
3. Secure DNS Configurations
The Sitting Ducks attack specifically exploited DNS misconfigurations, making proper DNS management crucial for domain security. Ensure that your DNS settings point to authoritative name servers that you actually control or that are managed by trusted providers. Regularly audit your DNS configurations to identify and remediate lame delegations or other misconfigurations that could be exploited by attackers.
Implement DNS Security Extensions (DNSSEC) to cryptographically sign your DNS records, making it nearly impossible for attackers to inject false information into DNS responses. While DNSSEC requires ongoing key management, it provides strong protection against various DNS-based attacks.
4. Enable Comprehensive Monitoring
Early detection is crucial for minimizing the impact of domain hijacking attempts. Implement monitoring systems that track changes to domain registrations, DNS configurations, and SSL certificates. Many successful hijacking attempts involve multiple steps over time, and detecting suspicious activity early can prevent full compromise.
Monitor for unauthorized login attempts, changes to contact information, DNS record modifications, and new SSL certificate issuances for your domains. Set up alerts through multiple channels to ensure critical notifications reach the appropriate personnel even if primary communication methods are compromised.
5. Maintain Strong Authentication
Multi-factor authentication (MFA) should be mandatory for all domain management accounts. However, not all MFA methods provide equal security. Avoid SMS-based authentication when possible, as SIM swapping attacks specifically target cryptocurrency and high-value organizations. Instead, use authenticator apps or hardware security keys that provide stronger protection against sophisticated attackers.
Regularly review and update access controls for domain management systems, ensuring that only authorized personnel have administrative access and that former employees’ access is promptly revoked.
6. Proactive Credential Monitoring
The Sitting Ducks campaign demonstrates that attackers often exploit credentials obtained through data breaches or other compromises. Implement proactive credential monitoring to identify when employee credentials appear in breach databases or dark web marketplaces.
This monitoring should extend beyond just domain management accounts to include any credentials that could be used in social engineering attacks against registrar support staff or DNS providers.
Building a Comprehensive Domain Security Program
Effective domain hijacking prevention requires more than just implementing individual security controls—it demands a comprehensive approach that integrates domain security into your broader cybersecurity strategy. Organizations should develop formal domain security policies that define roles and responsibilities, establish change management procedures, and create incident response plans specifically for domain-related security events.
Regular security assessments should include domain security reviews, testing of monitoring systems, and validation of recovery procedures. Many organizations discover domain security gaps only after experiencing an incident, making proactive assessments essential for identifying and addressing vulnerabilities before they can be exploited.
Employee training plays a crucial role in domain security, as social engineering attacks often target staff members who may not understand the critical importance of domain security. Ensure that employees understand how to recognize and report suspicious communications related to domain management, and establish clear procedures for verifying the authenticity of requests for domain changes.
Conclusion: Learning from the Sitting Ducks Campaign
The massive Sitting Ducks campaign that compromised 70,000 domains serves as a powerful reminder that domain hijacking remains a critical threat to organizations of all sizes. The attack’s success demonstrates how cybercriminals continue to evolve their techniques, exploiting infrastructure-level vulnerabilities that many organizations don’t even realize exist.
However, the campaign also highlights that effective domain hijacking prevention is achievable through proper security controls and operational practices. Organizations that implement registry locks, maintain secure DNS configurations, choose security-focused registrars, and establish comprehensive monitoring can significantly reduce their risk of falling victim to domain hijacking attacks.
The key lesson from the Sitting Ducks campaign is that domain security cannot be treated as an afterthought or delegated to the cheapest available provider. Your domains represent critical business assets that require the same level of protection as other valuable infrastructure components.
Don’t wait for your organization to become the next victim of a domain hijacking campaign. DomainSure specializes in protecting organizations from domain-based threats through comprehensive security services, proactive monitoring, and expert guidance. Contact us today to assess your domain security posture and implement the protections needed to safeguard your digital assets from sophisticated attacks like Sitting Ducks.
References:
- Infoblox Threat Intelligence. “Sitting Ducks: How Threat actors Hijack Domains.” November 2024.
- The Hacker News. “Experts Uncover 70,000 Hijacked Domains in Widespread ‘Sitting Ducks’ Attack Scheme.” November 14, 2024.
- SecurityScorecard. “Top Strategies for Preventing Domain Hijacking.” June 2025.
- Cloudflare Learning Center. “What is domain name hijacking?” 2024.
Apply for a Domainsure Invite
Get a Free Domain Health Check
Due to high demand: allow up to 24 hours for report delivery.
