Phishing Campaigns Target .arpa TLD and IPv6 Tunnels to Evade Security Measures

Phishing campaigns are utilizing a newly discovered evasion technique by exploiting the .arpa top-level domain (TLD) and IPv6 tunnels to bypass traditional security controls.

By hosting malicious links on domains strictly designed for internet infrastructure, threat actors are weaponizing trusted reverse DNS spaces to deliver fraudulent content without triggering domain reputation blocklists.

The .arpa and IPv6 Loophole

The .arpa TLD operates differently from standard consumer-facing domains like .com or .net.

It is primarily used for reverse DNS lookups, which map IP addresses back to domain names, and is never intended to host web content.​

To execute this attack, threat actors acquire free IPv6 address space and gain administrative control of the corresponding .arpa subdomain.

Instead of adding expected PTR records, they exploit a feature in the DNS record management of certain providers to create ‘A’ records for reverse DNS names.

This allows attackers to use complex reverse DNS strings (e.g., d.d.e...ip6.arpa) as functioning domain names in phishing emails.

Because .arpa is critical for global internet operations, security tools rarely block or scrutinize these infrastructure domains.

According to Infoblox, the phishing campaigns typically begin with spam emails that impersonate well-known brands, promising a “free gift” or warning users of expired cloud storage limits.

These messages consist of a single image containing a hidden hyperlink, ensuring victims do not see the unusual .arpa domain string before clicking.

Once a victim clicks the lure, they are not immediately taken to the phishing page. Instead, they are routed through a Traffic Distribution System (TDS) that fingerprints their device and connection type.

If the user meets specific criteria, such as using a mobile device on a residential IP network, they are redirected through a chain of domains to the malicious landing page.

If they do not meet the criteria, the TDS redirects them to a benign site or displays an error message.

Alongside .arpa abuse, attackers are hijacking dangling CNAME records to bypass email security filters.

When legitimate organizations fail to update DNS records after a domain expires, threat actors purchase the abandoned domain to gain control over subdomains belonging to highly reputable entities.

For example, the expiration of domains like publicnoticessites[.]com and hobsonsms[.]com allowed attackers to instantly hijack multiple trusted subdomains connected to government agencies, universities, and global corporations.​

Indicators of Compromise (IOCs)

Organizations should monitor network traffic for unusual .arpa queries and review DNS configurations.

Below is a selection of indicators associated with these phishing campaigns.

Indicator	Type	Description
<10 random letters>.5.2.1.6.3...[.]ip6[.]arpa	Reverse DNS	IPv6 reverse DNS domain with DGA subdomain ​.
<10 random letters>.9.a.d.0.6...[.]ip6[.]arpa	Reverse DNS	IPv6 reverse DNS domain with DGA subdomain ​.
actinismoleil[.]sbs	Malicious Domain	Phishing landing page ​.
cablecomparison[.]shop	Malicious Domain	Phishing landing page ​.
dulcetoj[.]com	TDS Domain	Traffic Distribution System domain ​.
golandof[.]com	TDS Domain	Traffic Distribution System domain ​.
publicnoticessites[.]com	Hijacked CNAME	Domain with a subdomain acting as a hijacked CNAME ​.
hobsonsms[.]com	Hijacked CNAME	Domain with a subdomain serving as a hijacked CNAME ​.
hyfnrsx1[.]com	Hijacked CNAME	Domain with a subdomain acting as a hijacked CNAME ​.

Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

​

The post Phishing Campaigns Target .arpa TLD and IPv6 Tunnels to Evade Security Measures appeared first on Cyber Security News.