This post is part one of a two part series. You can read part two here.
Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages. While such URL evasion methods are not new, their recent emergence on the fake pharma spam landscape is noteworthy. One such URL obfuscation technique employed an encoded hexadecimal IP address format used in the URL hostname part to evade detection. Another technique used a URL semantic attack, but that will be the subject of a future blog. In this blog, we highlight some recent IP format techniques we observed in the wild that are being used and circulated in spam.
IP stands for Internet Protocol and is defined in RFC 791. An IP address is a unique numerical address assigned to each device on the network. It can be an IPV4 dotted-decimal address such as 127.0.0.1 or an IPv6 address like 2001:db8:a0b:12f0::1. We access web content on web servers with their unique IP addresses assigned to them on the Internet, using the standard URL format defined in RFC1738. Since IP addresses are hard to remember, we rely on domain names instead that use a DNS service to translate the domain name to an IP address, thus remembering https://google.com is easier than remembering https://18.104.22.168 .
Technically, an IP address can be represented in multiple formats and thus can be used in a URL as follows:
- Dotted decimal IP address: https://22.214.171.124 (this example uses Google.com’s IP)
- Octal IP address: https://0330.0072.0307.0116 (convert each decimal number to octal)
- Hexadecimal IP address: https://0xD83AC74E (convert each decimal number to hexadecimal)
- Integer or DWORD IP address: https://3627730766 (convert hexadecimal IP to integer)
While web browsers accept domain names or dotted-decimal IPs as a URL in the address bar, clicking on any of the above links will direct you to Google.com as most browsers also accept these different IP formats as valid, which of course they are. The browser will automatically convert the hexadecimal or other IP format to a dotted-decimal IP address and browse it to the final page at that IP address.
Any threat actor equipped with this knowledge can craft an obscure looking URL like the ones shown above and send it via email with a convincing message to deceive the email gateway and the victim and lure them to click and open a site controlled by the attacker.
Pill spam campaign using obscure URLs containing hexadecimal IPs
The first spam campaign we observed was the result of a very active fake pharma spam botnet leveraging URL obfuscation techniques supported by an infrastructure of multiple intermediary hops through affiliate link services to evade detection while spewing high volumes of pill spam messages. These spam messages covered a wide spectrum of pharma products, mainly pills for cholesterol, anti-fungal, anti-aging, anti-inflammatory, brain health, metabolism, etc. This spam botnet recently started using hexadecimal IP’s in the URL since mid-July 2020, as shown in the figure. This is the time when the spam volume generated by this botnet significantly increased, as can be seen in figure 1.
Figure 1: Spam volumes of the fake pharma botnet since the beginning of this year. Notice the rise in volume since mid-July
A flow chart of this spam campaign is shown here in Figure 2 followed by a detailed discussion about each component.
Figure 2: Flowchart of this fake pharma spam campaign
Spam messages were carefully crafted for each spam broadcast, where the email subject highlights the email body content and is mostly convincing-looking pharma product related messages. Here are some screenshots of such spam email messages.
Figure 3: Spam samples containing embedded URLs with hexadecimal IP’s, circulated by this botnet with themes like COVID Masks, Fat loss, UV Bacteria killer, and Prostate medicine.
Figure 4: Spam circulated with themes like Brain boosting medicine, Acid Reflux, Fat reduction, and Vision correction
Figure 5: Spam circulated using themes like medicine for Vertigo, Vitiligo, Gum and Brain. All containing URLs with hexadecimal IP’s
This looks like ordinary spam, however what makes it unique is the use of hexadecimal IPs in the URL to access the pill spam web page. Some URLs that we collected from these pill spam campaigns are defanged and listed here:
These hexadecimal encoded IP addresses, collected at different times during the month of August 2020, decode to a single CIDR block 126.96.36.199/19 which is a block of IPs from USA. We observed that these links appear slightly different using different mail clients. For example, using the Thunderbird mail client, hovering your mouse over the links in these spam messages shows them as a URL starting with an IP address in the status bar. However, the links appear in their hexadecimal IP form in the URL using Microsoft Outlook but copying and pasting these links converts them to the standard IP format in the URL.
Clicking on any of these links opens the victim’s browser. The browser converts the hexadecimal IP to a decimal IP and takes the victim to the webpage hosting the fake pharma site. This site is equipped with an e-commerce gateway to sell these fake pills. We did not proceed with any purchase at the time of writing this blog. You can perform the hex to decimal IP conversion yourself using any tool of your choice. Here is a simple conversion using Cyber Chef
Figure 6: Converting Hexadecimal IP to decimal IP using CyberChef
Analysis of the network flow, from the time the victim clicks on the link until the final landing page is loaded in the victim’s browser, reveals a series of intermediate HTTP 301 and HTTP 302 redirects as shown in the above in Figure 2. An interesting thing to note here is that cybercriminals have employed the infrastructure of Clickbank.com, which is a legit online retail and affiliate service. Cybercriminals are abusing the Clickbank affiliate link service to proxy through to the final landing page of the pharma product being sold.
Final Landing Pages:
For each spam campaign iteration from this botnet, the final landing page follows the same theme from the initial spam message. The final landing pages are designed as marketing and sales portals integrated with third party payment gateways. Each website contained convincing marketing videos and testimonials to lure victims into buying fake pills or pharmaceutical products being sold. An interesting thing to note here is that most of these domains that hosted the final landing pages were registered with the NameCheap domain registrar and were recently registered. Screenshots of some of these websites are shown here.
Figure 9: Final landing page of Fake Anti-Fungal drug circulated as spam
Figure 10: Final landing page of Fake pharma drugs
Figure 11: Final landing page of Fake pharma drug circulated as spam
Figure 12: Final landing page of Fake pharma drug circulated as spam
Figure 13: Final landing page of Fake pharma drug circulated as spam
Clicking on “Buy Now” for any product redirects the victim to a legit Clickbank payment gateway page that accepts payment via both Credit Card and PayPal as shown in the figure.
Attempting to pay for an item using phony payment details was unsuccessful as the payment gateway required a legit and active Credit Card to be entered prior to proceeding to the next page. Making a test purchase to see whether any product gets shipped or not was beyond the scope of this research.
Spammers are ever-evolving their methods to evade spam detection systems to deliver spam to victims. One spamming group recently started using URLs containing hexadecimal encoded IPs embedded in spam messages for their fake pharma spam campaigns in an event to evade spam detection systems and URL blocklists. The URLs point to spammer-controlled infrastructure that redirects victims to semi-legit online retailers and marketing company infrastructure that finally redirects to the final website selling fake pills, medicine, and health products. These fake pharma sites are hosted on domains that have been recently purchased.
Trustwave Secure Email Gateway (SEG) detects these spam messages. We advise all users to look closely at all URLs before clicking, and especially those URLs that do not conform to typical formats.