He pointed out that “.arpa” queries are typically pointer (PTR) queries for reverse lookups. In the malicious queries, normal address (A or AAAA) queries will be used. The hostname will also be atypical. A normal in-addr.arpa hostname has a very specific format, with an IP address followed by the in-addr.arpa suffix. Anything else with that suffix should be blocked, or at least alerted on, he said.
“It’s a brilliant, old school move to find vulnerabilities in the complexity of the evolution of the internet,” said David Shipley, head of Canadian security awareness training provider Beauceron Security. “To figure out how to combine the newest part of the web, IPV6, with the oldest, Arpanet, may qualify as one of the most interest hacks so far this year.
“The fact these were used for fairly basic scam-type phishes is likely the result of someone learning this trick recently, but my gut says it’s been abused a lot longer, by far more sophisticated groups for more targeted attacks. Clever hacks like this are great evidence to keep in mind the next time a vendor says they stop 99.9% of phishing,” he added.
