"To make this attack work, the threat actor acquires some IPv6 address space, for which they are delegated control of the corresponding .arpa subdomain. Then, instead of adding the expected PTR records, they create A records for the reverse DNS names. These records were created through Cloudflare and Hurricane Electric, but other DNS providers also allow the configuration."
"The .arpa TLD is designed to map IP addresses to domains, providing reverse DNS records, and should not host web content, as other TLDs do. As part of the newly uncovered campaign, however, a threat actor has been abusing DNS record management controls of certain providers to add IP address records for .arpa domains and serve phishing content to victims."
"While .arpa domains are typically trusted and the domain names unlikely to be blocked, the threat actor further made the reverse DNS domains difficult to identify and block by prepending them with randomly generated subdomains, creating unique Fully Qualified Domain Names (FQDNs) that were then used to build phishing email HTMLs."
A threat actor has discovered a method to abuse the .arpa top-level domain, which is designed exclusively for reverse DNS mapping, to host phishing content. By exploiting DNS record management controls at providers like Cloudflare and Hurricane Electric, the attacker acquires IPv6 address space and creates A records instead of the expected PTR records on .arpa subdomains. The phishing emails impersonate major brands with embedded hyperlinks using reverse DNS strings that hide the actual malicious domain. The attacker further obscures these domains by prepending random subdomains to create unique FQDNs, making them difficult to identify and block. Since .arpa domains are typically trusted and rarely blocked, this approach effectively bypasses security measures while hosting malicious content on Cloudflare's edge network.
#phishing-attacks #arpa-domain-abuse #dns-exploitation #reverse-dns-manipulation #threat-actor-infrastructure
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]