A threat actor has been abusing the .arpa TLD to host phishing sites by creating A records for reverse DNS names that should only contain PTR entries, Infoblox reports. The campaign exploits DNS provider vulnerabilities (including Cloudflare and Hurricane Electric), uses randomized subdomains and IPv6 reverse domains resolving to Cloudflare edge IPs, and hijacks CNAMEs to hide malicious content and evade detection. #arpa #Infoblox
Keypoints
- The actor created A records under .arpa reverse DNS names instead of PTR records to host phishing content.
- DNS provider misconfigurations and vulnerabilities at providers including Cloudflare and Hurricane Electric were exploited.
- Phishing emails used images with embedded hyperlinks that pointed to reverse DNS FQDNs and multiple redirects to conceal the destination.
- Reverse DNS FQDNs resolved to Cloudflare edge IPs and were prepended with randomized subdomains to avoid blocking.
- Hijacked CNAMEs, domain shadowing, and a long-used toolkit enabled sustained high-volume campaigns against education, government, media, retail, and telecom targets.
Read More: https://www.securityweek.com/internet-infrastructure-tld-arpa-abused-in-phishing-attacks/