Hackers Exploit Trusted .arpa Domain to Bypass Phishing Detection Researchers at Infoblox have uncovered a novel phishing tactic that abuses the .arpa top-level domain (TLD) a trusted infrastructure component to evade security defenses. The attack leverages IPv6-to-IPv4 tunneling services, specifically from Hurricane Electric, to create malicious forward DNS records under the .arpa domain, which is typically reserved for reverse DNS lookups and is implicitly trusted by security tools. ### How the Attack Works 1. Abusing Free Tunneling Services – The attacker obtained IPv6 addresses from Hurricane Electric’s free tunneling service, which allows customers to designate DNS providers for their allocated space. 2. Manipulating DNS Records – Instead of creating legitimate PTR (pointer) records for reverse lookups, the attacker configured A (address) records on Cloudflare’s name servers, redirecting .arpa domains to malicious websites. 3. Bypassing Security Controls – Since .arpa is universally trusted, security tools like protective DNS and next-gen firewalls often overlook it, allowing phishing links to slip through undetected. ### Phishing Lures & Impact The campaign primarily targets consumers with two types of scams: - Fake brand surveys (e.g., department stores, supermarkets) offering "free gifts" for participation. - Subscription renewal scams claiming the victim’s cloud storage or antivirus service has been interrupted, demanding payment to restore access. When victims click embedded links in phishing emails, they are redirected through a series of malicious pages, ultimately tricked into entering credit card details under false pretenses. ### Why This Attack Is Dangerous - .arpa domains are inherently trusted, making them invisible to reputation-based security filters. - No registration details are required, eliminating typical red flags like newly registered domains. - Sophisticated threat actors could adapt this technique for spear-phishing or targeted attacks. - Not all providers are vulnerable some block unauthorized .arpa domain claims but many remain exposed. ### Mitigation Recommendations Infoblox advises organizations to: - Monitor DNS traffic for unusual .ip6.arpa queries. - Block or alert on atypical .arpa hostnames (e.g., non-standard IP address formats). - Audit IPv6 tunneling providers to prevent abuse of their services. - Ensure email security tools flag .arpa-based phishing links. The discovery highlights a critical gap in phishing defenses, proving that even trusted infrastructure components can be weaponized. While currently used for consumer scams, the technique could easily escalate to enterprise-targeted attacks.