Eavesdropping on Evil: How a DNS Error Exposed 57 Million Malicious Logs

Who could resist eavesdropping on a conversation that suddenly veers into the unexpectedly intimate? Specialists at Infoblox inadvertently secured such an opportunity when they observed a catastrophic “drift” in the DNS configurations of a massive browser push-notification scheme. This configuration error proved so fortuitous for observation that the researchers’ servers began receiving copies of virtually every notification the system disseminated globally, alongside comprehensive internal telemetry.

The infrastructure in question belongs to a commercial affiliate network that ostensibly “delivers advertising” on behalf of its partners. In practice, however, the content of these missives suggests an industry predicated on deception and intrusive lures. Over a fortnight, investigators harvested more than 57 million log events, encompassing the advertisements themselves, requests to update service code, and user engagements, including clicks.

Intriguingly, access was achieved neither through a breach nor a traditional AiTM (Adversary-in-the-Middle) interception. Instead, the researchers exploited a DNS organizational vulnerability historically designated as “Sitting Ducks.” In essence, a domain is delegated to external DNS servers that are neither cognizant of the domain nor configured to respond correctly. Such “lame delegation” occasionally permits a third party to approach the DNS provider and “claim” the domain by simply supplying the correct records. In this instance, the operator had neglected to update a specific record, an oversight that proved to be systemic across their infrastructure.

Initially, the researchers intercepted a single such domain and were inundated within an hour by a deluge of requests from victimized devices. By identifying further misconfigured delegations, they expanded their observation to encompass nearly 120 domains. At peak intervals, their infrastructure was besieged by up to 30 MB of logs per second. Content analysis revealed why users succumb to these “subscriptions” in the first place: the lures exploited fear, hope, or curiosity, frequently mimicking prestigious brands. Messages masqueraded as banking alerts, “account lock” notifications, “virus” warnings, or clickbait regarding scandals involving celebrities and politicians. These headlines spanned over 60 languages, illustrating a truly global reach.

The magnitude of this spam was staggering; an average subscriber received approximately 140 notifications daily, totaling roughly 7,600 messages over the subscription’s lifespan. The geographic concentration was notably heavy in Asia—specifically Bangladesh, India, Indonesia, and Pakistan—which accounted for 50% of the observed activity.

Paradoxically, despite this torrent of content, engagement remained negligible. The system’s internal CTR (Click-Through Rate) projections were humiliatingly low, with the most “successful” instances reaching only 1 in 175, while the average hovered around 1 in 60,000. Real-world data confirmed this bleak outlook: within 57 million events, only 630 clicks were recorded—a ratio of approximately 1 in 80,000. Economically, a pay-per-click model would have yielded a paltry $1.80 over 15 days. Revenue was likely sustained through a pay-per-impression model, with estimated daily earnings for the observed infrastructure totaling roughly $350.

A particularly disconcerting detail was the volume of technical telemetry transmitted in plaintext. The logs contained exhaustive data regarding the victim’s environment, including OS versions, hardware models, ISP data, and “anti-fraud” markers used by the platform to distinguish genuine users from inquisitive researchers. This provided an unprecedented view into the “internal kitchen” of a push network.

The authors emphasize their role as passive observers, merely receiving traffic precipitated by a third-party DNS error. Nonetheless, the study serves as a poignant reminder of the “lame delegation” tactic used daily against legitimate corporations, where adversaries seize abandoned domains to intercept sensitive correspondence or traffic. A prime example is the Vacant Viper collective, which commandeers domains via this method to bolster the 404TDS infrastructure, notorious for disseminating malicious payloads. While this specific push network showed no signs of malware distribution, the inherent risks posed by derelict domains remain a significant peril.