The attack scenario is like so.

1) The machine evil.hacker.com advertises two IP addresses for itself, the real IP address for that machine (say 1.1.1.1) and a fake IP address for that machine (say 6.6.6.6). The fake IP address is actually the address of target.com, which is the computer the attack applet wants to try to connect to, later on.

2) Someone using a Java-powered browser loads an applet from evil.hacker.com. Now, applets are allowed to make network connections only to the machine they came from, which in this case is evil.hacker.com. However, this attack applet tries to open a connection to the computer named "target.com".

3) The applet security manager does a DNS lookup on the name target.com, and checks if its IP address is in the pool of IP addresses that this applet is allowed to connect to. It gets the address 6.6.6.6. It turns out that this is one of the two addresses associated with evil.hacker.com, and so the connection is allowed. The connection should not be allowed.