As mentioned earlier in this space, it seems almost impossible to stay on top of cybercriminals. They always seem to be one step ahead, forcing everyone to always stay on their toes. One of the more recent efforts of spammers is to use hexadecimal IP addresses in spam attacks.
What is a hexadecimal IP address
Websites are accessed on the Internet through IP addresses, a combination of numbers, letters and punctuation. These are too difficult to remember, so domain names are assigned instead and a DNS service translates them to an IP address.
IP addresses can be:
- Dotted – a serious number of numbers separated by periods.
- Octal – each decimal number is converted to a decimal
- Hexadecimal – each decimal number is converted to hexadecimal
- Integer or DWORD – each hexadecimal is converted to an integer
A hexadecimal number works on a base 16 system instead of base 10, so instead of having 1 to 0 you have 1 to 0 plus A to F.
Browsers will automatically convert all of these formats to a dotted IP address. You will always arrive at this final destination site as you would with a domain name.
Hexadecimal addresses used in spam
As we search for spam more and more, spammers are getting smarter to avoid us. If we come across a domain name that looks dodgy, we’ll avoid it. No one will click on a link with a domain from spam.thisisfishy.com. However, replace it with a hexadecimal numbering system, and we don’t know what to think and might be tricked into clicking on it when it appears in an email.
The first spam attack observed using hexadecimal IP addresses sells fake pharmaceuticals. The campaign sells pills for cholesterol, antifungals, anti-aging, anti-inflammatory, metabolism, etc. And in the age of the coronavirus pandemic, we are all striving to stay healthy by any means possible. This campaign started last July and the numbers show that it has led to an overall increase in spam.
The subject and body of the email looks convincing enough and asks unsuspecting victims to click on a hexadecimal IP address. The links are slightly different depending on the email client, whether it’s Thunderbird, Outlook, etc.
Click the link to open it in the victim’s browser. The browser converts the hexadecimal IP address to a decimal IP, which sends the victim to a bogus pharmaceutical site with marketing videos and testimonials and leads to an ecommerce gateway selling the bogus pills.
Of course, it’s probably never a good idea to buy pharmaceuticals on a whim from a random email. But if you’re tempted to do so, don’t be overwhelmed by a hexadecimal IP address, as it’s even more likely to be spam. Be careful when you see such an address in an e-mail, whether it is an advertisement for pharmaceuticals or otherwise.
Read on to learn how to blacklist or whitelist an IP address in Gmail.
Is this article useful?