Researchers Infiltrate Hacker Network via DNS Misconfiguration
In a recent investigation, cybersecurity experts uncovered a deceptive push-notification campaign exploiting browser notifications to inundate Android users with fraudulent security alerts, gambling promotions, and adult content. The perpetrators employed seemingly random domains and concealed hosting methods to obscure their identities while maintaining a steady stream of clicks and advertising revenue.
The operation’s vulnerability became apparent when one of the domains ceased resolving correctly, yet notifications continued to reach users. Instead of directing victims to active landing pages, browsers displayed error messages. This anomaly was traced back to a misconfigured name server setup, resulting in a lame delegation state where the domain no longer pointed to a valid backend.
Researchers at Infoblox identified this weakness and recognized that the threat actors had inadvertently relinquished DNS control while devices worldwide still attempted to connect. By legitimately claiming the same domain through the DNS provider, the team redirected traffic to infrastructure under their management, without altering victim devices or the attackers’ servers.
This strategic move allowed the researchers to intercept every push message and tracking request sent by the hacker’s network, providing a live view into the operation. Over the following days, thousands of infected browsers from across the globe connected to the researchers’ server. Each request contained detailed JSON logs about the device, language, lure text, and user click behavior.
In total, the team captured tens of millions of records, revealing aggressive tactics such as brand impersonation and scare techniques designed to elicit clicks. Logs indicated that a typical user might receive over one hundred notifications per day, often for extended periods.
Infection Mechanism: From Initial Click to Persistent Control
The infection process began when users visited compromised or dubious websites. These sites displayed browser pop-ups requesting permission to allow notifications, often blending these prompts with cookie consent banners and CAPTCHA verifications.
Once users granted permission, the site installed a custom service worker in the browser. This service worker acted as a background agent, maintaining the subscription’s activity. It regularly checked in with the attacker’s push server, fetched updated scripts, and retrieved scam or advertisement templates. Even if the user closed the browser tab, the service worker remained active, continuing to trigger notifications.
This method enabled attackers to achieve persistent reach without deploying traditional malware files, instead relying on web standards and exploiting weak DNS configurations. When the misconfigured name server delegation exposed their abandoned domain, defenders utilized the same infrastructure to monitor rather than propagate the campaigns.
