Strange URL in a Phisher Mail

Forum Moderators: open

Message Too Old, No Replies

Strange URL in a Phisher Mail

Interesting Phish ... is this a first?

Quadrille

3:10 pm on Aug 28, 2006 (gmt 0)

One of my daily dose of paypal phishes used a URL in this format:

http:// 0x67.0x9c.0x3e.0x5c/~corporama/webshop/ PayPal/login.html

[note - details altered, this is NOT the actual URL - it's a nonsense one that fails; PLUS spaces inserted so it doesn't look live]

The site had gone by the time I got my copy, and I was diverted to the host site, so I do not know what would have appeared in the window.

I've never seen noticed such a URL before; how does it work?

[edited by: Quadrille at 3:12 pm (utc) on Aug. 28, 2006]

gpilling

3:29 pm on Aug 28, 2006 (gmt 0)

it sends you to a page that looks exactly like paypal.com but isnt. You enter your username and password, it send you to a screen that says "problem, check back later" and then they empty your paypal account.

A simple, effective way to seperate you from your money. Armed robbery from a distance, so to speak.

bird

3:49 pm on Aug 28, 2006 (gmt 0)

Some technical notes:

This is just the hexadecimal representation of a normal IP address. Ultimately, an IP address is just a 32 bit integer. For practical reasons and for human readability it is normally split into four distinct octets, and those are individually shown as decimal integer values. As an example (with a reserved IP), the following are all equivalent:

Decimal octets: 10.129.0.200

Octal octets: 012.0201.0.0310

Hexadecimal octets: 0xa.0x81.0x0.0xc8

Binary octets: 00001010.10000001.00000000.11001000

Combined binary: 00001010100000010000000011001000

Decimal of combined binary: 176226504

In other words, the URL http://176226504/ is the same as the URL http://10.129.0.200/. Making use of this information has been a spammer's trick to obfuscate URLs for a very long time.

Leosghost

3:55 pm on Aug 28, 2006 (gmt 0)

@gpilling ..

I think Quadrille knew that ;-))..

@bird

usually the phishers use urls that actually say something though ..perhaps they figure that the thing looks more secure / genuine being primarily the number expression ..certainly harder for the gullible to notice that its the usual mispelling or subdomain scam ..

I had one of those url types about 6 weeks ago ..( out of curiosity I always note them and load them separately into a browser and follow to see what tey are upto )..very fast redirect with a back button kill ..went to an internal page on domain with quite a long standing respectable history ..presumably the domain was hacked and the page ( on an https ..firefox confirmed ) set up as a sleeper ( re configed to set up again even if the domain owner noticed a hack had happened ) with the redirect to be activated on a call from the server responsible for the call to the email app to launch its send routine to me ..

technically very well done ..

gave the urls to ebay fraud centre ..

[edited by: Leosghost at 4:01 pm (utc) on Aug. 28, 2006]

Quadrille

1:22 pm on Aug 31, 2006 (gmt 0)

Thanks for the info, folks - yes, I did know what phishing mails are, should have been clearer :)

It was the alphanumeric IP that was new to me.

I always report my phishes to gmail, if they haven't already been reported (nine out of ten have already got the red warning stripe before I get the chance!)

Has anyone ever heard of a phisher being caught?

They seem to block the web sites pretty quick ... but what about the early sucker who got the worm?