A question for the DNS boffins out there :). I received a phishing email posing as an eBay notification an hour or so ago. Nothing unusual there. The URL in the source code looked something like this 0×3a669dfd/etc/etc…

I thought “haha! They screwed up their own phishing attempt, no tail extension on that funky domain name”.

But here’s the weird thing.. that first part of the URL; “0×3a669dfd” (I’ve only changed one letter in case anyone gets curious and tries to visit it and something nasty happens), I dumped into my appropriately protected browser and I could see it was trying to resolve - an IP address came up in the status bar. Just to clarify, 0×3a669dfa did not have any sort of tail extension.

I then started experimenting with other random combinations such as:

0xdf9234

that was trying to resolve to the IP: 0.223.146.52

All sorts of similar length number and letter combinations input directly into my browser address bar and without a tail extension attempted to resolve to various IP addresses, so I’m assuming that the phishing email combination resolves to an IP hosting a live phishing site - I didn’t hang around long enough to find out.

Can anyone tell me why/how this translation is happening? I’m just very curious about it.