How Hexadecimal IP Addresses Help Spammers Evade Detection

  • Spammers who target people with fake pills for a variety of conditions are hiding their infrastructure behind hexadecimal IP addresses.
  • This helps the particular group enjoy better spam email deliverance rates and make more money as a result.
  • Victims should be careful when they see unfamiliar URL forms, and spamming filters should evolve to catch hex too.

Spammers are known to try a wide range of tricks to achieve better inbox delivery rates. Spam mail that ends up on the spam folder isn’t doing much for them, and finding ways to go through filters isn’t simple at all. For example, Google is deploying sophisticated AI tools to detect malicious messages and is now rolling out new anti-spam platforms.

So, whenever spam groups find something that works, it’s a breakthrough – at least for as long as it takes for spam filters to adjust. The most recent breakthrough of this kind is the use of hexadecimal IP addresses to evade detection and ensure spam delivery to people’s inbox.

Related: Google Claims Gmail Can Now Detect 99.9% of Malicious Document Attachments

IP addresses are typically written and displayed in human-readable notations like “,” for example. However, this is not the only way you can write them without affecting their functionality. Hexadecimal is one of the possible ways to write an IP address, converting each decimal number to hexadecimal, which is a representation of numbers using a base of “16” – hence the name.

According to this numeral system, one may use ten decimal numbers and six symbols to represent any value, and this is a lean approach because you end up with something short. The web browser undertakes the job of converting hex to something useful, so functionally, no problems are introduced.

Related: Google to Tackle Spam Mail With Gmail Logo Verification for Senders

What this conversion does is to actually add a layer of obfuscation to the URL. So, essentially, URLs that have been blacklisted for spam can now send emails without raising any flags.

According to a Trustwave report, the first spammers who took advantage of this simple yet clever trick send pill-themed messages. If you’ve recently received any messages that promote pills for cholesterol, anti-inflammatory, metabolism boosters, brain health, etc., they are part of this campaign. To ramp up their detection avoidance game, the actors have their messages hop through a series of affiliate link services.

fake pharma diagram
Source: Trustwave

If any of these links are clicked, the victim is taken to recently-registered domains that attempt to convince the visitors to buy the fake drugs. Thanks to third-party gateway integration, the payment will go through, but nothing will ever be shipped to the buyer. T

he volume of this spam has risen since July this year and will most likely continue growing until anti-spam systems begin including hexadecimal IP addresses in their detection scheme.

spam volume
Source: Trustwave

The trick of hexadecimal hashing for obfuscation has been used in the malware space, too, with the SunCrypt ransomware applying the conversion to encrypted files, and CypherIT applying it to its malicious scripts. Seeing it on IP addresses is somewhat novel, but the cover is now blown.


Recent Articles

2020 CMT Music Awards: How to Watch Live, Schedule, Performers, Nominees

The CMT Music Awards are just around the corner, and we cannot wait to watch the show and see who wins the...

How to Watch 2020-2021 UEFA Champions League Season – Live Stream, Groups, Schedule

The 2020-2021 UEFA Champions League games are finally here and we are eager to start watching the games. This is the 66th...

6 Best VPN for Netflix in October 2020

The best VPN for Netflix will help you unblock any version of this media streaming platform. It will also improve your media streaming experience...