A straightforward DNS error can provide access to criminal infrastructure, as demonstrated by a recent investigation into a fraudulent push-notification network.
In order to bombard Android users with phony security alerts, gambling temptations, and adult offerings, the campaign exploited browser notifications. In an attempt to conceal the operator while maintaining the flow of clicks and ad revenue, random-looking domains and covert hosting were used.
One domain stopped resolving, despite the fact that notifications continued to come in. Victims received browser errors rather than actual landing pages.
The domain was in a lame delegation state that no longer pointed to a valid backend due to a misconfigured name server arrangement, which was the cause of what appeared to be a typical outage.
Researchers at Infoblox discovered this vulnerability and discovered that the threat actor had lost DNS control while devices all around the world continued to call home. Without coming into contact with victim devices or the attacker’s network servers, the team redirected traffic to infrastructure they controlled by lawfully claiming the same domain at the DNS provider.
From that point on, the researchers’ server received every push message and tracking request issued by the hacker’s network, providing a real-time view of the activity. Thousands of compromised browsers connected from all over the world during the ensuing days. Rich JSON logs about the device, language, lure text, and click behavior were included in each request.
The team collected tens of millions of data in total, exposing the aggressive use of fear tactics and brand impersonation to drive clicks.
A typical user may receive over 100 notifications per day, frequently for months, according to logs. A visit to a shaded or compromised area marked the beginning of the infection trail. Along with cookie ads and captcha prompts, users were presented with a browser pop-up that asked them to accept notifications.
After authorization was obtained, the website set up a custom service worker in the browser to function as a background agent and maintain the subscription. This service provider pulled scam or ad templates, retrieved updated scripts, and routinely checked in with the attacker’s push server. The worker remained active and kept sending out notifications even if the user closed the tab.
By using web standards and poor DNS hygiene instead of traditional malware files, the attackers were able to maintain their reach over time.
Defenders employed the same plumbing to observe rather than propagate the campaigns when lame name server delegation revealed their abandoned domain.
