Disclosure: When you purchase through links on our site, we may earn an affiliate commission.
Cybercriminals have taken to a new form of phishing attack for exploiting the .arpa domain (a part of the internet that’s usually for essential network functions).
According to a new research from Infoblox Threat Intel, hackers now use this space to host phishing pages while avoiding standard security checks. This is a serious threat to .arpa. Unlike more familiar domains such as .com or .net, .arpa helps computers match IP addresses to domain names. This process is known as reverse DNS.
According to Dr. Renée Burton, VP of Infoblox Threat Intel, when attackers are abusing .arpa, they’re weaponizing the very core of the internet. She further added that .arpa wasn’t meant to host websites. This being the case makes so many security systems not to check it closely, and using it to deliver malicious pages gives attackers the room to bypass defences that rely on known domain names or typical URL patterns.
The attack works with the latest type of internet address, IPv6. These hackers, after gaining control of a range of addresses, configure them to point to servers hosting phishing pages.
Most times, the cybercriminals manage these addresses through services like Cloudflare. This hides the true location of the malicious content.
In other cases, some DNS providers allow users to manage .arpa domains in ways never intended for web hosting. With this on ground, it enables attackers to attach harmful content to entries that are supposed to lead to a website.
Moreover, this attack includes free IPv6 tunnels that provide administrative access to large address ranges. This works even when the tunnels aren’t used for data transit.
Usually, the malicious content is delivered through phishing emails. Most times, these emails often mimic well-known brands and they promise rewards like free gifts or prizes. All these are in an effort to make the messages appear legit. When a user is lured into clicking the image or link in the email, they’re immediately redirected to a fake website that captures login details or other sensitive information. The emails serve as bait, the unusual .arpa addresses remain hidden in the background. So the visible URL appears normal. Since .arpa is essential to DNS operations, its domains aren’t likely to be blocked automatically.
These hackers create unique, hard-to-detect addresses. They do this by adding random subdomains, making it difficult for security systems to identify them. Thus, with this method of attack, cybercriminals don’t need to exploit software flaws to succeed.
Dr Burton warns that defenders need to treat DNS infrastructure as high-value real estate for attackers and monitor all possible points of abuse. These risks can also be reduced if organisations tighten firewall rules, enforce identity protection policies and ensure quick malware removal if attacks succeed.