{"id":13787,"date":"2026-06-23T04:03:34","date_gmt":"2026-06-23T04:03:34","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/23\/33090\/"},"modified":"2026-06-23T04:03:34","modified_gmt":"2026-06-23T04:03:34","slug":"33090","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/23\/33090\/","title":{"rendered":"eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address, (Fri, Jun 19th)"},"content":{"rendered":"<p>    eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address, (Fri, Jun 19th)<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>I detected an interesting phishing email this morning. It targets a major Belgian bank:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260618-1.png?ssl=1\" style=\"width: 500px; height: 723px;\"><\/p>\n<p>The phishing in itself is a classic one, not relevant but the malicious link is interesting:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nhxxp:\/\/[::ffff:5511:74be]\/kWC5PHA1<\/pre>\n<p>The technique used by the attacker is to bypass simple security controls trying to extract domain names and IP addresses via simple regular expressions. The notation \u201c[\u2026]\u201d tells the URL parser that what&#8217;s inside is a literal IPv6 address. But it\u2019s not a real IPv6 address. What\u2019s the magic?<\/p>\n<p>The started \u201c::\u201d in the address means that it can be expanded to this address:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\n0000:0000:0000:0000:0000:ffff:5511:74be<\/pre>\n<p>The trick is the fifth group (::ffff:) means that we are facing a IPv4-mapped IPv6 address. This is defined in RFC 4291[<a href=\"https:\/\/www.rfc-editor.org\/info\/rfc4291\/\">1<\/a>]:<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" alt=\"\" src=\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20260618-2.png?ssl=1\" style=\"width: 500px; height: 343px;\"><\/p>\n<p>In the URL above, the two trailing 16-bit hex groups \u201c5511\u201d and \u201c74be\u201d are just the four IPv4 octets written in hex.<\/p>\n<table border=\"1\" cellpadding=\"1\" cellspacing=\"1\" style=\"width:300px;\">\n<thead>\n<tr>\n<th scope=\"col\">Hex<\/th>\n<th scope=\"col\">Dec<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>0x55<\/td>\n<td>85<\/td>\n<\/tr>\n<tr>\n<td>0x11<\/td>\n<td>17<\/td>\n<\/tr>\n<tr>\n<td>0x74<\/td>\n<td>116<\/td>\n<\/tr>\n<tr>\n<td>0xBE<\/td>\n<td>190<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The real URL is therefore:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nhxxp:\/\/85[.]17[.]116[.]190\/kWC5PHA1<\/pre>\n<p>Another good news from the attacker\u2019s point of view, there is no DNS record!<\/p>\n<p>When visited, this URL redirects to another link where the real phishing kit is hosted:<\/p>\n<pre style=\"background: rgb(238, 238, 238); border: 1px solid rgb(204, 204, 204); padding: 5px 10px;\">\nhxxps:\/\/3439-aanmelden[.]verificatie[.]qzz[.]io\/mon-belfius<\/pre>\n<p>[1]\u00a0<a href=\"https:\/\/www.rfc-editor.org\/info\/rfc4291\/\">https:\/\/www.rfc-editor.org\/info\/rfc4291\/<\/a><\/p>\n<p><b>Xavier Mertens (@xme)<\/b><br \/>\nXameco<br \/>\nSenior ISC Handler &#8211; Freelance Cyber Security Consultant<br \/>\n<a href=\"https:\/\/raw.githubusercontent.com\/xme\/pgp\/refs\/heads\/main\/public.key\">PGP Key<\/a><\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/33090\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address, (Fri, Jun 19th) I detected an interesting phishing email this morning. It targets a major Belgian bank: The phishing in itself is a classic one, not relevant but the malicious link is interesting: hxxp:\/\/[::ffff:5511:74be]\/kWC5PHA1 The technique used by the attacker is to bypass simple security controls trying to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-13787","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13787"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13787"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13787\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}