Spammers keep looking for new and innovative tricks to deliver boobytrapped emails in as many inboxes as possible. Recently, Trustwave researchers published a report about a spam group that adopted a simple IP address format conversion trick for their spam campaigns to dodge detection.
The strange IP addressing scheme
Since mid-July, the spammers have been sending emails that contained links to spam sites. The scheme tricked users into believing that the sites are legitimate.
- The spammers leveraged the format-conversion flexibility that comes with the RFC791 standard. They crafted the URLs using a hexadecimal format and sent it via email with a convincing message to deceive the email gateway and the victim.
- One of the active spam campaigns covered a wide spectrum of pharma products, such as cholesterol, anti-fungal, anti-inflammatory, metabolism, and brain health pills, using hexadecimal IP in the URL.
- In other campaigns, the spammers used themes such as acid reflux, COVID masks, fat reduction, prostate medicine, UV bacteria killer, and vision correction.
- For payment, hackers redirected the victims to a legit Clickbank payment gateway page, to make the purchase look more convincing.
Seeing is believing
In earlier attacks, hackers were seen using hexadecimal values to hide malicious payloads.
- In June, Huntress Labs had discovered a threat actor that used a malicious file to masquerade as a Windows error log to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed for lateral attacks.
- In September, researchers found that in continuation of the June attack, hackers abused Google DNS over HTTPS to download the hidden malicious payload.
Cybercriminals can use existing threat feeds and URL lookup services to trick users via URL obfuscation techniques, redirection attacks, and multi-stage attacks. Therefore, experts recommend organizations to switch to real-time URL analysis and enrichment tools to quickly reach definitive verdicts with greater accuracy on suspicious URLs.