The idea is based on the use of the standard RFC791… Researchers remind that, for example, https://google.com is the same as https://184.108.40.206, it's just that the first option is easier to remember. Moreover, any IP address can be written in other formats, including:
- octal IP address: https: //0330.0072.0307.0116;
- hexadecimal IP address: https: // 0xD83AC74E;
- integer or DWORD IP address: https: // 3627730766.
It is this feature that spammers take advantage of, who have been using hexadecimal IP addresses in their mailings since July this year. While browsers understand these formats and will direct the user to google.com anyway, in the example above, many spam filters stop "seeing" dangerous URLs because of this.
Experts note that since the start of this trick, the activity of the enterprising spam group has increased markedly, as much more spam has started to fall into user inboxes. At the peak of the campaign, scammers sent out about 25,000 letters. Basically, spammers advertised various drugs to lower cholesterol, antifungal, anti-aging, anti-inflammatory drugs, medical masks, UV lamps, as well as all kinds of dietary supplements.
Interestingly, this is not the first such case discovered by information security specialists. So, last summer, Proofpoint experts talked about the PsiXBot Trojan, whose operators also used hexadecimal IP addresses to hide the location of their C&C servers.