Hacker abusing .arpa domain to evade phishing detection

A threat actor has found a new way to evade phishing detection defenses: Manipulate the .arpa top-level domain (TLD) and IPv6-to-IPv4 tunneling to host phishing content on domains that shouldn’t resolve to an IP address. 

For the uninitiated, the .arpa domain is an Address and Routing Parameter Area domain meant to be used exclusively for internet infrastructure purposes. Primarily this is for mapping IP addresses to domains, providing reverse records.

However, according to a report from Infoblox, a threat actor discovered a feature in the DNS record management control of at least one provider that allows them to, instead of adding the expected PTR records, create A records for the reverse DNS names.

“From there,” says Infoblox, “they can do whatever they like at the hosting provider. It’s a pretty clever trick.”

Infoblox first discovered that trick when it was being used against a US-based DNS provider called Hurricane Electric and content delivery provider CloudFlare. It also confirmed that some other providers have been abused, and that it has notified them of the issue..

“It’s a brilliant, old school move to find vulnerabilities in the complexity of the evolution of the internet,” said David Shipley, head of Canadian security awareness training provider Beauceron Security. “To figure out how to combine the newest part of the web, IPV6, with the oldest, Arpanet, may qualify as one of the most interest hacks so far this year. 

“The fact these were used for fairly basic scam-type phishes is likely the result of someone learning this trick recently, but my gut says it’s been abused a lot longer, by far more sophisticated groups for more targeted attacks. Clever hacks like this are great evidence to keep in mind the next time a vendor says they stop 99.9% of phishing,” he added. 

Read the full story at CSO Online