A new phishing campaign has emerged. As observed, this phishing campaign makes use of hexadecimal IP addresses instead of the conventional ones. Thus, it can succeed in bypassing security checks.
Phishing Campaign Using Hexadecimal IP Addresses
Researchers from Trustwave have discovered a new phishing campaign in the wild that uses hexadecimal IP addresses. This strategy helps the attackers to evade security checks. Hence, the phishing emails successfully land into the victim’s mailbox.
As elaborated in their blog post, web browsers recognize and automatically convert IP addresses in other formats, such as the hexadecimal, octal, and Integer or DWORD, into the dotted-decimal format to process further. Hence, they accept these IP formats as a domain name or URL to bring the destination web page to the users.
However, these formats are not as well recognized by email security measures.
Thus, the attackers behind this phishing campaign have exploited this weakness to craft emails that successfully land to the recipients’ inbox.
In these emails, they hide the URLs in the hexadecimal format which the victim may never recognize, but the browser can. So, when the victim clicks on such a link, it lands on the phishing web page.
Although, the formatted URLs behave differently with different mail clients. But the overall strategy remains the same. As stated by the researchers,
We observed that these links appear slightly different using different mail clients. For example, using the Thunderbird mail client, hovering your mouse over the links in these spam messages shows them as a URL starting with an IP address in the status bar. However, the links appear in their hexadecimal IP form in the URL using Microsoft Outlook but copying and pasting these links converts them to the standard IP format in the URL.
Active Campaign Going Around Since Beginning This Year
During their study, the researchers found an active pill spam campaign in August 2020. The campaign employed fake pharma botnet leveraging URL obfuscation techniques and affiliate link services to display the phishing website’s landing page.
Whereas, the phishing websites advertise fake pills and the campaign exploits the legit Clickbank.com affiliate link service to receive payments.
Researchers have warned all users to remain cautious while clicking on URLs, especially the unconventional ones, like the URLs in hexadecimal or other formats.