Cybercriminals are constantly optimizing their cyber attack tools, tactics and techniques to evade spam detection systems.
Since some systems directly extract links embedded in emails for detection, one such URL obfuscation technique uses the encoded hexadecimal IP address format used in the hostname portion of the URL to evade detection.
Since IP addresses can be represented in a variety of formats, they can be used in URLs as follows:
Dotted decimal IP address: 18.104.22.168
Octal IP address: 0330.0072.0307.0116 (convert each decimal digit to octal)
Hex IP address: 0xD83AC74E (convert each decimal digit to hex)
Integer or DWORD IP address: 3627730766 (convert hexadecimal IP to integer)
Clicking on any of the links above will direct you to the specified domain name, and most browsers also accept these different IP formats.
Recently, a phishing email campaign with the theme of pharmaceuticals used the hexadecimal representation of IP to attack.
Since this may become a future attack trend, this attack trend will be mentioned in the Blackbird official account.
These phishing email messages cover a wide range of medicines, mainly for cholesterol, antifungal, anti-aging, anti-inflammatory, brain health, metabolism, and more. The phishing botnet recently started using hexadecimal IPs in URLs from mid-July.
The attack flow chart is shown below.
The email is shown below, using text hyperlinks to jump to it.
The corresponding URL link in the hyperlink is as follows, using hexadecimal IP
Using different mail clients, these links look slightly different. For example, using the Thunderbird mail client, hovering over text hyperlinks will Display them as URLs starting with the IP address in the status bar.
However, using the Microsoft Outlook mail client, it will still be displayed in the hexadecimal IP format in the URL, but copying and pasting the link elsewhere will convert it to the standard IP format in the URL.
Result after clicking on the hex link above
The Links: 4L-U4EB QM150DY-2H