A spam group has picked up a pretty clever trick that has allowed it to bypass email filters and security systems and land in more inboxes than usual.
The trick relies on a quirk in RFC791 — a standard that describes the Internet Protocol (IP).
Among the various technical details, RFC791 is also the standard that describes how IP addresses look. We mostly know them in their most prevalent form of dotted-decimal address (for example, 192.168.0.1).
However, IP addresses can also be written in three other formats:
- Octal - 0300.0250.0000.0001 (by converting each decimal number to the octal base)
- Hexadecimal - 0xc0a80001 (by convert each decimal number to hexadecimal)
- Integer/DWORD - 3232235521 (by converting the hexadecimal IP to integer)
Well, one spammer group has apparently picked up on the trick.
According to a report published yesterday by Trustwave, a spam group has adopted hexadecimal IP addresses for their campaigns since mid-July earlier this year.
The group has been sending emails that contain links to their spam sites, but instead of domain names like "spam-website.com," the emails contain weird-looking URLs like https://0xD83AC74E.
These are actually hexadecimal IP addresses where the spammers host their spam website infrastructure.
While web browsers are capable of interpreting hexadecimal IP addresses and load the website found on the server, it appears that the trick was enough to help the spam groups evade detection while spewing high volumes of pharma/pill spam messages.
Trustwave says the group's operations have significantly increased since adopting this trick, as they have been able to land more messages in users' inboxes.
This campaign also marks the second time hexadecimal IP addresses have been spotted being used in a malware campaign in recent years.
In the summer of 2019, the operators of the PsiXBot trojan have also used hexadecimal IP addresses to hide the location of their command-and-control servers.
Yet, besides the hexadecimal version, malware authors have also abused other IP addressing schemes. In 2011, Zscaler found malicious Word documents that used integer/DWORD IP addresses to hide the location of remotely-stored malicious resources that they'd download on infected hosts.
Just like in the Trustwave report, the previous operations used these strange IP addressing schemes as a way to bypass detection, as not all security software is fully RFC791-compliant.
tinyurlis.gdv.gdv.htclck.ruulvis.netshrtco.de
مقالات مشابه
- فشارشکن آب چیست؟
- Google Chrome به صدای بوقلمون در اوردن حافظه کمتر در ویندوز 10 پس از Microsoft Edge - CNET
- آموزش ارز دیجیتال: نحوه خرید و فروش
- شرکت صادرات و واردات کالاهای مختلف از جمله کاشی و سرامیک و ارائه دهنده خدمات ترانزیت و بارگیری دریایی و ریلی و ترخیص کالا برای کشورهای مختلف از جمله روسیه و کشورهای حوزه cis و سایر نقاط جهان - بازرگانی علی قانعی
- مایکروسافت به 'ادامه بحث در پتانسیل Infinite خرید' پس از صحبت با دونالد مغلوب ساختن پیشی جستن - CNET
- Beyoncé آلبوم تصویری سیاه و سفید است که پادشاه می تواند دیزنی منحصر به فرد به رقیب همیلتون - CNET
- شرکت صادرات و واردات کالاهای مختلف از جمله کاشی و سرامیک و ارائه دهنده خدمات ترانزیت و بارگیری دریایی و ریلی و ترخیص کالا برای کشورهای مختلف از جمله روسیه و کشورهای حوزه cis و سایر نقاط جهان - بازرگانی علی قانعی
- تجهیزات و علوم آزمایشگاهی - متخصص آزمایشگاه
- ترفند های زندگی و خانه داری - ترفند های نابغه
- شرکت صادرات و واردات کالاهای مختلف از جمله کاشی و سرامیک و ارائه دهنده خدمات ترانزیت و بارگیری دریایی و ریلی و ترخیص کالا برای کشورهای مختلف از جمله روسیه و کشورهای حوزه cis و سایر نقاط جهان - بازرگانی علی قانعی