I detected an interesting phishing email this morning. It targets a major Belgian bank:

The phishing in itself is a classic one, not relevant but the malicious link is interesting:

hxxp://[::ffff:5511:74be]/kWC5PHA1

The technique used by the attacker is to bypass simple security controls trying to extract domain names and IP addresses via simple regular expressions. The notation “[…]” tells the URL parser that what's inside is a literal IPv6 address. But it’s not a real IPv6 address. What’s the magic?

The started “::” in the address means that it can be expanded to this address:

0000:0000:0000:0000:0000:ffff:5511:74be

The trick is the fifth group (::ffff:) means that we are facing a IPv4-mapped IPv6 address. This is defined in RFC 4291[1]:

In the URL above, the two trailing 16-bit hex groups “5511” and “74be” are just the four IPv4 octets written in hex.

The real URL is therefore:

hxxp://85[.]17[.]116[.]190/kWC5PHA1

Another good news from the attacker’s point of view, there is no DNS record!

When visited, this URL redirects to another link where the real phishing kit is hosted:

hxxps://3439-aanmelden[.]verificatie[.]qzz[.]io/mon-belfius

[1] https://www.rfc-editor.org/info/rfc4291/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key