Tens of thousands of domains, including those of well-known brands, non-profits, and government entities, have been hijacked over the past five years because DNS providers failed to properly verify domain ownership, cybersecurity firm Infoblox reports.

The issue was initially disclosed in late July, when Eclypsium and Infoblox said that roughly 35,000 domains had been hijacked since 2018 by abusing the weakness as part of so-called Sitting Ducks attacks.

However, that was just the tip of the iceberg, Infoblox says in a new report. Further investigation into this configuration-oriented attack vector has revealed that at least 800,000 domains could be hijacked, and that 70,000 have already fallen victim to attackers.

“We know these numbers do not accurately reflect the attack surface: they are derived from a limited monitoring system. The challenge with a Sitting Ducks attack is that it is easy to perform and very hard to detect,” Infoblox warns in a new report (PDF).

Incorrect configurations at the domain registrar, complemented by insufficient preventions at the DNS provider open the door to several variants of Sitting Ducks, including name server delegation, lame delegation, and exploitable DNS providers.

The issue, Infoblox underlines, is nearly a decade old. It was uncovered two years before being exploited in 2018 to hijack thousands of websites, but remains largely unknown, allowing threat actors to abuse it without being detected.

The cybersecurity firm has identified over a dozen independent actors mounting Sitting Ducks attacks, starting with the cybercrime group operating the 404 TDS (traffic distribution system), which Infoblox tracks as Vacant Viper.

The threat actor is estimated to have hijacked roughly 2,500 domains per year since December 2019, abusing them for nefarious operations such as spam and malware delivery, or using them as RAT command-and-control (C&C) servers.

Another group, tracked as Vextrio Viper, has been hijacking domains since 2020 to augment its TDS infrastructure in support of one of the largest known cybercriminal affiliate programs.

Infoblox also mentions Hasty Hawk and Horrid Hawk, two threat actors that started employing the Sitting Ducks attack vector in 2022 and 2023, respectively.

Some domains, the cybersecurity firm says, have been hijacked by multiple threat actors over time, while others have been retained by the same group for longer periods of time.

Sitting Ducks poses a threat to both businesses and their users, Infoblox warns. The attacks cause reputational damage and financial losses, and could lead to malware infections, credential theft, and fraud.

“Everyone has a role in stopping Sitting Ducks attacks—from authoritative DNS providers and registrars to government organizations and standards bodies. We need better ways to detect hijackings and mitigate them as quickly as possible. Legitimate domain registrants need to not only maintain their DNS records but be responsive to reports of abuse, as do both registrars and providers,” Infoblox says.

Related: Over 35k Domains Hijacked in ‘Sitting Ducks’ Attacks

Related: Businesses Worldwide Targeted in Large-Scale ChatGPT Phishing Campaign

Related: US Seizes 2 Domain Names Used in Cyberespionage Campaign

Related: Hackers Control Perl.com Domain Months Before Hijack