Cybercriminals are exploiting the special-use .arpa domain and IPv6 reverse DNS mechanisms to launch phishing campaigns that evade traditional reputation-based defenses. The .arpa top-level domain is reserved for internet infrastructure functions like reverse DNS lookups, which map IP addresses back to hostnames using PTR records. Attackers discovered they could abuse this system by obtaining control over IPv6 address blocks through tunneling services and configuring non-standard DNS records.
Once threat actors gain control of the reverse DNS zone for an IPv6 range, some DNS management platforms allow them to create A records pointing those domains to phishing infrastructure. Observed campaigns leveraged reputable providers like Hurricane Electric and Cloudflare to host these malicious configurations, benefiting from their established trust scores. The phishing emails contain image links using obfuscated reverse IPv6 hostnames such as "d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa" rather than suspicious-looking domains.
When victims click these images, the resolution process routes through attacker-controlled name servers, often terminating at Cloudflare IP addresses that conceal the true phishing infrastructure location. A traffic distribution system then validates targets based on device type, IP address, and other criteria before redirecting qualified victims to actual phishing sites while sending others to legitimate pages. These malicious links remain active for only a few days before expiring, hindering security research efforts.
The .arpa domain structure lacks WHOIS information, domain age data, and registration details that security tools typically use for reputation scoring, making detection significantly more difficult. Researchers also observed attackers combining this technique with hijacked dangling CNAME records and subdomain shadowing, compromising over 100 legitimate government, academic, and corporate domains. Users are advised to avoid clicking unexpected email links and instead navigate directly to official websites through trusted bookmarks.
Read more...