A spam group has picked up a pretty clever trick that has allowed it to bypass email filters and security systems and land in more inboxes than usual.
The trick relies on a quirk in RFC791 — a standard that describes the Internet Protocol (IP).
Among the various technical details, RFC791 is also the standard that describes how IP addresses look. We mostly know them in their most prevalent form of dotted-decimal address (for example, 192.168.0.1).
However, IP addresses can also be written in three other formats:
- Octal – 0300.0250.0000.0001 (by converting each decimal number to the octal base)
- Hexadecimal – 0xc0a80001 (by convert each decimal number to hexadecimal)
- Integer/DWORD – 3232235521 (by converting the hexadecimal IP to integer)
Well, one spammer group has apparently picked up on the trick.
According to a report published yesterday by Trustwave, a spam group has adopted hexadecimal IP addresses for their campaigns since mid-July earlier this year.
The group has been sending emails that contain links to their spam sites, but instead of domain names like “spam-website.com,” the emails contain weird-looking URLs like https://0xD83AC74E.
These are actually hexadecimal IP addresses where the spammers host their spam website infrastructure.
While web browsers are capable of interpreting hexadecimal IP addresses and load the website found on the server, it appears that the trick was enough to help the spam groups evade detection while spewing high volumes of pharma/pill spam messages.
Trustwave says the group’s operations have significantly increased since adopting this trick, as they have been able to land more messages in users’ inboxes.
This campaign also marks the second time hexadecimal IP addresses have been spotted being used in a malware campaign in recent years.
In the summer of 2019, the operators of the PsiXBot trojan have also used hexadecimal IP addresses to hide the location of their command-and-control servers.
Yet, besides the hexadecimal version, malware authors have also abused other IP addressing schemes. In 2011, Zscaler found malicious Word documents that used integer/DWORD IP addresses to hide the location of remotely-stored malicious resources that they’d download on infected hosts.
Just like in the Trustwave report, the previous operations used these strange IP addressing schemes as a way to bypass detection, as not all security software is fully RFC791-compliant.