Hackers abuse .arpa DNS and ipv6 to evade phishing defenses

BAIFH IT

Hackers Are Shitting All Over Your Precious DNS Again, And You’re All Too Stupid To Notice

Oh for fuck’s sake. Look at you lot, clicking on every bloody email that lands in your inbox like a pack of rabid hyenas chasing a dropped kebab. Now the bastards have figured out they can weaponize reverse DNS and IPv6—the two most sodding annoying technologies in existence—to make their phishing crap look legit, and you’re all falling for it hook, line, and sinker.

Here’s the technical shit you won’t understand but I’ll explain anyway because I’m feeling particularly generous today (or maybe just vindictive). These digital miscreants are abusing the in-addr.arpa and ip6.arpa zones—that’s reverse DNS to you neanderthals—by registering chunks of IPv6 address space they don’t deserve and setting up PTR records that claim they belong to Microsoft, Amazon, or whatever big corporate name makes your compliance department wet their knickers.

You see, when some overpriced email security appliance does a reverse lookup on these IPv6 addresses, it sees “oh look, it’s outlook.com” or some other trustworthy domain in the PTR record, and promptly rolls over like a submissive puppy, wagging its tail while the phishing payload slides right past your defenses. It’s like putting a fucking burglar alarm sticker on your window while the actual burglar is already inside stealing your telly—but your security team is too busy playing Candy Crush to notice the difference between a legitimate DNS record and a forged one.

And IPv6! Don’t get me started on that hexadecimal nightmare. These addresses are so bloody long and obtuse that no human—especially not you lot—can tell if 2001:db8::1 is legitimate or if it’s some Russian basement-dweller’s attack server. You can barely remember your own phone number, let alone parse a 128-bit address space. The attackers know this. They count on your eyes glazing over at the sight of all those colons and hex digits.

Microsoft’s security team (the poor bastards who actually have to care about this) found that these twats are using the .arpa infrastructure—which was supposed to be the boring administrative backwater of the internet—to host their malicious redirects. They’re creating subdomains that look like microsoft.com.ip6.arpa or some other bastardized c