domains Actors are abusing the .arpa domain for phishing scams

[Lox]

Actors are abusing the .arpa top-level domain (TLD), in conjunction with IPv6 tunnels, to host phishing content on domains that should not resolve to an IP address. Unlike familiar TLDs like .com and .net, that are used for domains that host web content, the .arpa TLD has a special role in the domain name system (DNS): it’s primarily used to map IP addresses to domains, providing reverse records. Threat actors have discovered a feature in the DNS record management control of certain providers, which allows them to add IP address records for .arpa domains. From there, they can do whatever they like at the hosting provider. It’s a pretty clever trick.

read more

 

[Ali Mustafa]

read more

This is a fascinating but worrying development. The abuse of .arpa shows how attackers are increasingly targeting trusted infrastructure layers rather than traditional domains. Techniques like reverse DNS abuse, dangling CNAME hijacks, and traffic distribution systems highlight how DNS misconfigurations can become powerful attack vectors. It’s another reminder that DNS hygiene and monitoring are just as important as domain reputation checks.