A large-scale malicious push-notification network was uncovered after researchers gained unintended visibility into the backend infrastructure of an illicit advertising operation. This visibility was made possible by a long-standing DNS misconfiguration that allowed third-party control of domains still actively used by the threat actors’ systems.
Over a short observation window, tens of millions of push-notification events were captured, revealing an industrialized ecosystem designed to deliver deceptive, scam-oriented notifications at extreme volume. The operation relied on browser push permissions, primarily targeting mobile users, and monetized through fraud, phishing, and misleading redirects rather than meaningful user engagement.
This incident highlights how neglected DNS assets can expose entire malicious ecosystems, and how push-notification abuse has become a mature, scalable threat vector.
Threat Overview
The activity centers around a malicious push-notification delivery network. These networks abuse legitimate browser functionality by tricking users into granting notification permissions. Once permission is granted, attackers can send unsolicited messages directly to the user’s device, bypassing email filters, SMS controls, and many traditional security layers.
Unlike traditional malware campaigns, this operation did not rely on exploit delivery or payload execution. Instead, it focused on:
- Social engineering
- Deceptive messaging
- Extreme message volume
- Geographic scale
The infrastructure functioned similarly to a commercial ad-tech platform, but was optimized for fraud and scams rather than advertising performance.
How the Network Worked
1. Initial User Enrollment
Victims were funneled through deceptive web pages that prompted them to enable browser notifications. These pages typically claimed that enabling notifications was required to:
- Verify the user is human
- Continue to content
- Enable video playback
- Confirm age or region
- Access downloads
Once the user clicked “Allow,” the browser registered the attacker’s push service as an authorized sender.
2. Push Delivery Infrastructure
After permission was granted, the user became part of a large push-subscriber pool. The infrastructure maintained:
- Subscriber identifiers
- Device and browser metadata
- Language and regional indicators
- Campaign routing logic
Push notifications were sent continuously, often at aggressive frequencies. In many cases, individual users received hundreds of notifications per day.
3. Message Content
The notifications were short, emotionally manipulative, and localized. They included:
- Fake financial alerts
- Lottery or prize claims
- System security warnings
- Impersonation of banks, brands, or government services
- Adult or dating lures
- Cryptocurrency and investment scams
Messages were dynamically translated into dozens of languages, suggesting automated localization and global campaign targeting.
4. Click Handling and Monetization
When a notification was clicked, the user was redirected through multiple tracking endpoints before landing on:
- Scam landing pages
- Affiliate fraud funnels
- Fake login pages
- Ad arbitrage sites
- Malware-adjacent download pages
Despite extremely low click-through rates, the sheer volume of notifications made the operation financially viable.
DNS Misconfiguration and Infrastructure Exposure
Lame DNS Delegation
The most critical factor enabling this discovery was a lame DNS delegation. This occurs when:
- A domain’s authoritative name servers are configured
- But those name servers no longer exist or are no longer controlled by the domain owner
In this case, the threat actors continued using domains that pointed to DNS providers they no longer controlled.
Domain Takeover
Because the DNS provider configuration was abandoned, another party was able to:
- Claim control of the orphaned DNS zone
- Receive live traffic intended for the attackers
- Observe internal operational telemetry
This resulted in passive collection of backend data, including push event logs and campaign metadata.
Scale of Exposure
Once the initial domain was identified, dozens of related domains with similar misconfigurations were discovered. Together, they formed a mesh of infrastructure that revealed:
- Campaign identifiers
- Message frequency
- Geographic distribution
- Client metadata
- Delivery success metrics
Over tens of millions of events were observed in a short time window.
Impacted Users and Geography
Target Platforms
- Predominantly mobile users
- Heavily biased toward Android devices
- Browser focus on Chromium-based browsers
Desktop users were present but represented a smaller portion of traffic.
Geographic Distribution
Traffic showed a strong concentration in:
- South Asia
- Southeast Asia
- Parts of Africa
- Latin America
These regions are commonly targeted due to high mobile usage, lower fraud awareness, and less aggressive enforcement of deceptive ad practices.
Impacted Industries and Organizations
Directly Impacted
- End users (spam, fraud, phishing exposure)
- Browser ecosystems (abuse of notification APIs)
- Telecommunications and mobile networks (traffic and trust degradation)
Indirectly Impacted
- Financial institutions impersonated in messages
- E-commerce brands used as bait
- Government agencies spoofed for credibility
- Advertising platforms affected by fraud spillover
No single legitimate organization was breached, but many brands were impersonated as part of social-engineering efforts.
Indicators of Compromise (IOCs)
DNS and Infrastructure Patterns
- Domains with:
- Recently re-registered DNS providers
- Active traffic but abandoned NS records
- High-volume push endpoints receiving POST requests with:
- Subscriber IDs
- Campaign IDs
- Locale and device metadata
Behavioral IOCs
- Excessive browser push notifications
- Notifications appearing without a corresponding installed application
- Identical notification patterns across unrelated websites
- High notification frequency without user interaction
User-Side Artifacts
- Browser notification permissions granted to:
- Random domains
- Typosquatted or generic domains
- Repeated redirects after clicking notifications
- Landing pages changing on each click
Threat Actor Tradecraft Assessment
Sophistication
- Medium technical sophistication
- High operational maturity
- Automation-heavy infrastructure
- Focus on scale over precision
Objectives
- Monetization through fraud and deceptive traffic
- Abuse of legitimate browser features
- Avoidance of traditional malware detection
Weaknesses
- Poor DNS hygiene
- Infrastructure sprawl
- Over-reliance on abandoned assets
Defensive Lessons Learned
- DNS hygiene matters, even for malicious actors. Abandoned DNS infrastructure can expose entire operations.
- Push notifications are a high-risk but under-monitored attack surface.
- Volume-based fraud can remain profitable even with extremely low engagement.
- User education around browser permissions remains critically important.
- Security teams should monitor:
- Notification abuse
- Domain delegation health
- Push service anomalies
Conclusion
This case demonstrates how a seemingly minor infrastructure oversight can unravel a large-scale malicious ecosystem. The observed push-notification network operated globally, delivered billions of deceptive impressions, and relied on basic social engineering rather than advanced exploits.
The incident underscores a growing trend: modern cybercrime increasingly abuses legitimate platforms and protocols, blurring the line between malicious activity and acceptable internet behavior.
The operation was not technically advanced, but it was efficient, scalable, and persistent, making it a meaningful threat to users and a growing challenge for defenders
