Phishers abuse little-known core Internet infrastructure

Threat actors have discovered a creative misuse of reverse domain name system (DNS) delegation to deliver phishing campaigns through a part of the domain name system that was never designed to host websites.

In doing so, the attackers are exploiting a blindspot in many organisations' security defences.

Research by security vendor Infoblox shows that criminals are abusing the .arpa top-level domain (TLD) to deliver brand-impersonation spam, a novel technique that has previously not been reported.

The .arpa name stands for Address and Routing Parameter Area.

It traces its roots to ARPA, the Advanced Research Projects Agency, the United States' defence research body that funded the original ARPANET Internet precursor in the late 1960s.

Today, the .arpa domain supports core internet infrastructure functions, mainly DNS lookups that map Internet Protocol addresses back to hostnames.

Because it is not intended to host web content, many security tools treat it accordingly and overlook checking the domain, something that attackers are now taking advantage of.

The campaigns exploit the way reverse DNS is delegated for IPv6 address space.

By obtaining free IPv6 address space through tunnelling services such as Hurricane Electric, attackers gain administrative control of the corresponding reverse DNS zone, then point it at their own content rather than the expected pointer records.

Attackers do not actually use the IPv6 tunnel for traffic; instead, it is acquired as a mechanism to gain control of the corresponding IPv6 address range, and its .arpa subdomain.

Phishing emails in the observed campaigns impersonate major brands with promises of free gifts or prize winnings, and online subscription alerts.

Each message is a single image with a hyperlink embedded inside it, ensuring the victim never sees the unusual .arpa-based address before clicking.

From there, a traffic distribution system fingerprints the victim's device and connection before routing them to a fraudulent page, a technique that also complicates takedown efforts by showing different content to different observers.

Infoblox confirmed different forms of abuse of Hurricane Electric and Cloudflare infrastructure, both of which are reputable infrastructure companies which attackers leverage to their advantage.

"When we see attackers abusing .arpa, they're weaponising the very core of the internet," Dr. Renée Burton, VP of Infoblox Threat Intel, said.

"Reverse DNS space was never designed to host web content, so most defences don't even look at it as a potential threat surface," she said.

Attackers can use the technique to bypass traditional controls that check domain reputation and URL structure, Burton explained.

In light of the research, DNS providers may need to reconsider whether record-management features should allow A records to be created in infrastructure-oriented namespaces without additional monitoring and verification.

The Certification Authority Browser Forum (CA/B) industry association will stop issuing certificates for in-addr.arpa and ip6.arpa domains; this will cause web browsers to alert users about attempting to access sites without a web public key infrastructure certificate, the chief scientist of APNIC, Geoff Huston, said.

Another DNS-related form of abuse discovered by Infoblox involves so called dangling canonical name (CNAME) records.

Attackers have discovered that they can take advantage of expired domains that have CNAME records in the DNS, and inherit control of every subdomain pointed to the main name.

This allows attackers to serve content under the same reputation as the original organisation.

In one example, an attacker registered a domain that had lapsed, and instantly gained access to CNAME records that belonged to more than 120 local newspaper websites.

Over 100 hijacked subdomains were found by Infoblox, belonging to government agencies, universities, telcos, media companies and global retailers, going back as far as 2020, and seen consistently by the security vendor since last year.

Infoblox has published indicators of compromise on GitHub as part of its standard practice of sharing threat intelligence with the broader security community.