Spammers hide behind hexadecimal IP addresses

Spammers hide behind IP addresses

Trustwave experts have discovered that pharmaceutical spam attackers have started to insert unusual URLs into their messages. Spammers hide behind hexadecimal IP addresses. They use hexadecimal IPs to bypass email filters and other security solutions.

The idea is based on the use of RFC791 standard. Researchers remind that, for example, https://google.com is the same as https://216.58.199.78, it’s just the first option that is easier to remember.

“Technically, an IP address can be represented in several formats and therefore can be used in a URL in a variety of ways”, — explain Trustwave researchers.

For example, any IP address can be written in other formats, including:

  • octal IP address: https://0330.0072.0307.0116;
  • hexadecimal IP address: https://0xD83AC74E;
  • integer or DWORD IP address: https://3627730766.

This feature uses spammer, who have been using hexadecimal IP addresses in their mailings since July this year. While browsers understand these formats and direct the user to google.com anyway, as in the example above, many spam filters stop “seeing” dangerous URLs because of this.

“Any threat actor equipped with this knowledge can craft an obscure-looking URL like the ones shown above and send it via email with a convincing message to deceive the email gateway and the victim and lure them to click and open a site controlled by the attacker”, — write Trustwave researchers.

Spammers hide behind IP addresses
Attack scheme

Experts note that since the start of this trick, the activity of the enterprising spam group has markedly increased, as much more spam began to fall into user inboxes. At the peak of the campaign, scammers sent out about 25,000 letters. Spammers advertised various drugs to lower cholesterol, antifungal, anti-aging, anti-inflammatory drugs, medical masks, UV lamps, as well as all kinds of dietary supplements.

Interestingly, this is not the first such case discovered by information security specialists.

For example, last summer, Proofpoint experts talked about the PsiXBot Trojan, whose operators also used hexadecimal IP addresses to hide the location of their control servers.

Find out better how spam works in our blog post: Spam Email. What Do Spammers Hope For?

Spammers hide behind hexadecimal IP addresses

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *