Criminals Hijacking Subdomains of Popular Websites: How to Stay Safe

A troubling new online threat is emerging, where criminals hijack subdomains of major organizations, such as Bose, Panasonic, and even the US CDC (Centers for Disease Control and Prevention), to spread malware and perpetrate online scams. Infoblox has flagged this campaign, which at its center involves a threat group known as Hazy Hawk.

Hazy Hawk has taken a relatively quiet but highly effective approach to compromise user trust and weaponize it against unsuspecting visitors. These subdomain hijackings are not the result of direct hacking but rather of exploiting overlooked infrastructure vulnerabilities. An exploit rooted in administrative oversight is behind this campaign, which targets abandoned cloud resources linked to misconfigured DNS CNAME records.

These so-called “dangling” records occur when an organization decommissions a cloud service but forgets to update or delete the DNS entry pointing to it, leaving the subdomain vulnerable. For example, a forgotten subdomain like something.bose.com might still point to an unused Azure or AWS resource, and if Hazy Hawk registers the corresponding cloud instance, the attacker suddenly controls a legitimate-looking Bose subdomain.

This method is dangerous because misconfigurations are not typically flagged by conventional security systems. When the repurposed subdomains become platforms for delivering scams, including fake antivirus warnings, tech support cons, and malware disguised as software updates, it poses a significant threat to users. Hazy Hawk doesn’t just stop at hijacking - the group uses traffic distribution systems (TDSs) to reroute users from hijacked subdomains to malicious destinations.

These TDSs, such as viralclipnow.xyz, assess a user’s device type, location, and browsing behavior to serve up tailored scams. Often, redirection begins with seemingly innocuous developer or blog domains, like share.js.org, before shuffling users through a web of deception. Once users accept push notifications, they continue to receive scam messages long after the initial infection, establishing a lasting vector for fraud.

The Fallout: High-Profile Organizations Affected

The fallout from these campaigns is more than theoretical and has affected high-profile organizations and firms like the CDC, Panasonic and Deloitte. Individuals can guard against these threats by refusing push notification requests from unfamiliar sites and exercising caution with links that seem too good to be true.

Protecting Your Organization: DNS Hygiene is Key

For organizations, the emphasis must be on DNS hygiene. Failing to remove DNS entries for decommissioned cloud services leaves subdomains vulnerable to takeover. Automated DNS monitoring tools, especially those integrated with threat intelligence, can help detect signs of compromise.

Security teams should treat these misconfigurations as critical vulnerabilities, not minor oversights. By taking proactive measures to secure their DNS infrastructure, organizations can prevent Hazy Hawk and similar threats from compromising user trust and perpetrating online scams.

Staying Safe: Tips for Individuals

Individuals can guard against these threats by refusing push notification requests from unfamiliar sites and exercising caution with links that seem too good to be true. It's also essential to stay informed about the latest security threats and updates.

About the Author:

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics.