Hackers abuse .arpa internet infrastructure to hide phishing scams

Researchers say attackers are exploiting a technical part of the internet infrastructure to host phishing campaigns.

What happened

Threat actors are exploiting the .arpa domain space, part of the internet’s core infrastructure originally tied to the early ARPANET, to run phishing campaigns that can bypass traditional security checks. Reporting from Vice describes how attackers use misconfigured or hijacked domain records to host scam pages that remain difficult to detect. Research found that attackers manipulated CNAME records, a type of DNS entry that redirects one domain name to another, thereby routing victims through legitimate infrastructure. Investigators identified more than 100 cases in which attackers exploited subdomains of government agencies, universities, telecommunications providers, media organizations, and retailers to distribute phishing links that appeared trustworthy.

Going deeper

The .arpa domain is not intended for public websites but supports core internet infrastructure services such as reverse DNS lookups, which allow systems to translate IP addresses into domain names. Because these records operate in the background, they are rarely examined by users or many security tools. Attackers take advantage of that by chaining hijacked domain records and redirects so phishing pages appear connected to legitimate domains even when the infrastructure is controlled by criminals. Investigators found campaigns using simple lures such as messages claiming users had won a free gift, exceeded cloud storage limits, or needed to verify a disrupted subscription. Victims who followed the links were ultimately asked to provide payment details under the pretext of small shipping or verification fees.

What was said

Researchers described the tactic in their February 26 analysis of the campaign, noting that “a notable tactic we have observed in the phishing email hyperlinks is the abuse of subdomains of high-profile, legitimate domains.” According to investigators, the attackers used hijacked CNAME records, which are domain settings that redirect one web address to another, to make malicious links appear trustworthy. The report states that analysts “found over 100 instances where the threat actor used hijacked CNAMEs of well-known government agencies, universities, telecommunication companies, media organizations, and retailers.”

In the know

TechTarget describes ARPANET as the world’s first operational packet-switched network and the forerunner of the modern internet. Commissioned by the U.S. Department of Defense in the late 1960s, the network sent its first message in 1969 and was eventually decommissioned in 1989. Many core networking technologies used today, including the foundations of TCP/IP communication, were originally developed through ARPANET’s research-driven experiments.

The big picture

According to CSO Online, the technique of abusing the .arpa domain shows how attackers continue to exploit older internet infrastructure in new ways. One security expert described it as “a brilliant, old school move to find vulnerabilities in the complexity of the evolution of the internet,” noting that combining modern IPv6 infrastructure with legacy ARPANET systems “may qualify as one of the most interesting hacks so far this year.” The analysis also suggested that although the current campaign involves relatively basic scams, the same method could be used by more sophisticated threat groups for targeted phishing attacks.

FAQs

What is the .arpa domain, and why is it normally hidden from users?

The .arpa domain is part of the internet’s core infrastructure and is primarily used for technical functions such as reverse DNS lookups, which translate IP addresses back into domain names. Because these processes run in the background and are not designed for public websites, most users never encounter .arpa domains directly.

Why would attackers use infrastructure like .arpa instead of registering new phishing domains?

Using existing infrastructure allows attackers to hide within trusted systems rather than relying on newly created domains that security tools often flag quickly. When phishing activity appears connected to legitimate domains or network functions, it can evade automated filters and appear more credible to victims.

How do hijacked CNAME records help phishing campaigns work?

A CNAME record redirects one domain to another location. If attackers gain control of or exploit misconfigured CNAME records, they can quietly reroute traffic through trusted domains before delivering the phishing page, making the malicious link appear legitimate.

Could organizations unknowingly contribute to these phishing campaigns?

Yes. If organizations leave DNS records misconfigured or fail to remove unused subdomains, attackers can hijack those records. In these cases, legitimate organizations may not realize their infrastructure is being used as part of a phishing chain.

What steps can organizations take to reduce the risk of this type of abuse?

Security teams can reduce risk by regularly auditing DNS records, removing unused subdomains, monitoring for unexpected CNAME changes, and implementing DNS security controls that detect suspicious redirects or infrastructure misuse.