A String of Numbers before a web address in a URL link (SPAM)

Any networking guy is well aware that an IP address can be used in the place of a domain name in a link.

http://173.194.196.138 for example, will take you to www.google.com

Did you know, however, that the IP address itself in a link can also be represented in different ways?

For example, a DWORD integer value? If I convert that Google IP address to a decimal number, I get this: 2915222666. Now if you were to click on http://2915222666, it would also take you to Google’s homepage just like the other two links above.

To most people, that would not look like a valid link to anything, but it is. There are also plenty of other valid ways to represent an IP address in a link, and this is no new trick, as I read all about it on this site that was apparently written in 1999.

The reason I discovered all this, is because of a link in a spam/malware email sent to some users at work. The link was along the lines of this: http://[ten digit number]/wwwdotrealwebsitedotcom/mail. Now keep in mind, the email made no attempts beyond this to mask the link. It was not hidden until you hovered over it, or anything like that. It even had a “helpfully” fully written out version of the link for users with trouble to copy and paste into the browser.

It claimed to be a link to an encrypted email message, so the strange URL seemed almost plausible.

The link really lead out to the IP address represented by that ten digit number and not the real, unrelated, domain included in the link. The malware website was clearly designed to have the valid URL included in its address, but hid the real domain (IP address) behind that DWORD integer. The link lead to a Russian owned IP address that wanted to download a Trojan disguised as a MS word compatibility pack.

I normally have a very sharp eye when it comes to spotting bullshit URLs, and other things like this. So, the fact that this one looked weird to me, but didn’t set off any alarm bells right away could have been a very bad thing, and this bothered me.

After my research, I now have a much better understanding of an older, somewhat sophisticated, technique to mask where a bullshit link really leads. I wanted to share that information, in one place, in a hopefully easier to find way.

Maybe this was just a weird fluke, or maybe we are going to start to see more attacks like this.