Phishers Hit the Internet's Backbone, and Washington Responds
Attackers are hiding phishing links inside internet infrastructure nobody monitors, and the White House just signed an EO to fight back against the scam networks behind attacks like this.
Phishers Found a Blind Spot Nobody Was Watching
Most phishing defenses work by looking at the domain in a link and asking: is this thing sketchy? New registration? Bad reputation? Flagged before? If the answer is yes to any of those, the email gets blocked or the link gets flagged.
Researchers at Infoblox Threat Intel found a campaign that sidesteps all of that by using a domain that security tools almost never look at: .arpa.
You’ve probably never typed .arpa into a browser. That’s the point. It’s a top-level domain reserved strictly for internet infrastructure, specifically for reverse DNS, which is the system that maps an IP address back to a hostname. It’s plumbing. It’s not supposed to host websites, which means most security tools don’t watch it for malicious content, and it has no WHOIS data, no domain age, and no registration history for reputation systems to evaluate.
Attackers figured this out and turned it into a phishing delivery mechanism.
Here’s how the attack works. The group signs up for free IPv6 tunneling services, which hand out large blocks of IP addresses. With those addresses, they get administrative control over the corresponding .arpa subdomain. Then instead of setting up the PTR records those subdomains are supposed to contain, they create A records pointing to servers hosting phishing pages. The result is a fully functional domain like d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa that resolves to a scam site, hidden inside infrastructure that security systems treat as trusted by default.
The phishing emails themselves are simple: a single image, no visible text, with the malicious link embedded in the image. Victims never see the .arpa address before clicking. After clicking, they get routed through a traffic distribution system that checks their device, IP, and browser headers to decide whether they’re a valid target or a security researcher, then redirects accordingly.
Infoblox confirmed the technique was working through Hurricane Electric and Cloudflare, both of which have clean reputations that helped the malicious infrastructure blend in. Both providers were notified.
The lures are the usual stuff: you’ve won a prize, here’s your survey reward, your account needs attention. Nothing sophisticated about the bait. The sophistication is entirely in the delivery infrastructure.
There’s a second technique layered on top of the .arpa abuse: dangling CNAME hijacking. When organizations forget to clean up DNS records after a domain expires, those old CNAME records keep pointing at the now-available domain. Attackers buy the expired domain and instantly inherit whatever trust the original organization had built up. Infoblox found over 100 instances of this, hitting government agencies, universities, telecom companies, media organizations, and retailers. In one case, a single expired domain called publicnoticessites.com handed them control over subdomains tied to more than 120 local newspaper websites.
The practical upshot for regular people is the same as it always has been for phishing: don’t click images in emails promising prizes, rewards, or urgent account warnings. Visit sites directly if you think something needs your attention. But what makes this story worth paying attention to is that even people running sophisticated email security systems got nothing. No reputation signal. No URL red flag. No WHOIS data to examine. The infrastructure looked clean because it lived in a part of the internet nobody was monitoring for this kind of abuse.
That’s changing now that Infoblox has published the research, and hopefully the DNS providers tighten up what records can be added to .arpa subdomains. But the technique will outlast this specific campaign. Once attackers find a blind spot that works, they use it until the blind spot closes.
Trump Signed an Executive Order on Cybercrime This Week
On March 6, President Trump signed an executive order directing federal agencies to get more aggressive against the criminal networks behind online scams, phishing, ransomware, and sextortion. The order is titled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens,” and it comes with some real teeth alongside the usual policy language.
The numbers cited in the White House fact sheet are worth sitting with. American consumers reported losing more than $12.5 billion to cyber-enabled fraud in 2024, with seniors absorbing the largest share of those losses. Separately, 73% of U.S. adults said they experienced some form of online scam or attack last year. Those aren’t made-up statistics. That’s basically three out of four people.
The order has three main parts. First, it requires agencies to develop an action plan for identifying and dismantling the transnational criminal organizations (TCOs) running scam centers, with a dedicated operational cell inside the National Coordination Center handling day-to-day coordination. Second, it directs the Attorney General to prioritize prosecutions of cyber-enabled fraud schemes. Third, and probably the most interesting piece for actual victims, it orders a recommendation for a Victims Restoration Program that would use seized and forfeited funds from convicted fraudsters to pay back victims directly.
That last part is rare. Restitution orders exist but are notoriously hard to enforce and victims often never see money. A dedicated program funded by seized criminal assets would be a meaningful shift if it actually gets built out.
The order also takes aim internationally. The Secretary of State is directed to pressure foreign governments to act against TCOs on their soil, with sanctions, visa restrictions, foreign aid reductions, and expulsion of complicit officials all on the table as consequences. Many of the worst scam center operations, the pig butchering networks, the tech support fraud rings, the sextortion gangs, run openly out of countries that have historically been unwilling or unable to shut them down.
The order is light on specifics for now, which is normal for executive orders. The substance will come out in the action plan, which agencies have 120 days to deliver. Worth watching what TCOs get named and whether the Victims Restoration Program materializes into something with actual funding.