Internet Infrastructure TLD .arpa Abused in Phishing Attacks

A threat actor has been abusing the internet infrastructure top-level domain (TLD) .arpa to host phishing content on domains that should not resolve to IP addresses, Infoblox reports.

The .arpa TLD is designed to map IP addresses to domains, providing reverse DNS records, and should not host web content, as other TLDs do.

As part of the newly uncovered campaign, however, a threat actor has been abusing DNS record management controls of certain providers to add IP address records for .arpa domains and serve phishing content to victims.

Impersonating major brands, the phishing emails display an image hiding an embedded hyperlink designed to take the victim to the malicious website after a series of redirects.

The links use a reverse DNS string instead of a standard domain name, but the actual domain is hidden from the victim’s view to avoid raising suspicion.

As part of the .arpa phishing campaign ...