eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address, (Fri, Jun 19th)
I detected an interesting phishing email this morning. It targets a major Belgian bank:
eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address
I detected an interesting phishing email this morning. It targets a major Belgian bank.
The phishing in itself is a classic one, not relevant but the malicious link is interesting:
hxxp://[::ffff:5511:74be]/kWC5PHA1
The technique used by the attacker is to bypass simple security controls trying to extract domain names and IP addresses via simple regular expressions. The notation β[β¦]β tells the URL parser that what's inside is a literal IPv6 address. But itβs not a real IPv6 address.
How the Address Works
The started β::β in the address means that it can be expanded to this address:
0000:0000:0000:0000:0000:ffff:5511:74be
The trick is the fifth group (::ffff:) means that we are facing a IPv5-mapped IPv6 address. This is defined in RFC 4291[1].
In the URL above, the two trailing 16-bit hex groups β5511β and β74beβ are just the four IPv4 octets written in hex:
| Hex | Dec |
|---|---|
| 0x55 | 85 |
| 0x11 | 17 |
| 0x74 | 116 |
| 0xBE | 190 |
The real URL is therefore:
hxxp://85[.]17[.]116[.]190/kWC5PHA1
Another good news from the attackerβs point of view, there is no DNS record! When visited, this URL redirects to another link where the real phishing kit is hosted:
hxxps://3439-aanmelden[.]verificatie[.]qzz[.]io/mon-belfius
[1] https://www.rfc-editor.org/info/rfc4291/
Xavier Mertens (@xme)
Xameco Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
No comments yet. Start the discussion.