Abuse of .arpa Top-Level Domain in Phishing Scams Exposed
Cybercriminals Abuse .arpa Domain to Host Phishing Scams
Cybercriminals are leveraging the .arpa top-level domain, a reserved segment of the internet’s infrastructure, to host phishing scams and evade standard security protocols. This tactic exploits the trust placed in the .arpa domain, which is primarily used for reverse DNS and is not intended to host web content.
Method of Abuse
Researchers at a DNS security firm discovered that threat actors are using free IPv6 tunnel services to obtain a large supply of IP addresses. These addresses are then used to trick service providers, such as Hurricane Electric and Cloudflare, into hosting fraudulent websites within the .arpa space.
Bypassing Security Controls
The scammers’ approach allows them to bypass traditional security controls that rely on domain reputation or URL structure. By using the .arpa domain, they effectively step around these controls and increase the likelihood of successful phishing attacks.
“Reverse DNS space was never designed to host web content, so most defenses don’t even look at it as a potential threat surface. By turning .arpa into a delivery mechanism for phishing, these actors effectively step around traditional controls.”
– Dr. Renée Burton, VP of Threat Intel at the DNS security firm
Broader Campaign
The abuse of the .arpa domain is just one part of a broader campaign. The threat actors also employ other tactics, including the use of dangling CNAMEs to take over expired domains from organizations, such as universities, media companies, and government agencies. In one instance, the scammers hijacked over 120 local newspaper websites by exploiting an expired domain.
Additional Tactics
Additionally, the group uses domain shadowing, where they create secret subdomains under legitimate brand names, often through stolen login credentials. One such shadow domain has reportedly operated undetected since 2020.
Phishing Emails
The phishing emails used in these attacks are simple, typically promising a gift or claiming that a cloud storage quota has been exceeded. The emails often contain a large image that, when clicked, directs the user through a Traffic Distribution System (TDS). The TDS checks the user’s device and IP address before displaying the final scam page, which is designed to steal credit card details under the guise of paying for shipping.
Protection
To protect themselves, users should be cautious of unsolicited emails with clickable images, especially those that promise gifts or claim to be from unknown sources.
About Author
English