Internet marketing resources, ecommerce web site design tutorials and  just for fun - free cell phone ringtones!
  Taming the Beast - quality web marketing and ecommerce development services

Curious phishing ploy

Posted by Michael Bloch in online world (Thursday May 31, 2007 )

A question for the DNS boffins out there :). I received a phishing email posing as an eBay notification an hour or so ago. Nothing unusual there. The URL in the source code looked something like this 0x3a669dfd/etc/etc…

I thought “haha! They screwed up their own phishing attempt, no tail extension on that funky domain name”.

But here’s the weird thing.. that first part of the URL; “0x3a669dfd” (I’ve only changed one letter in case anyone gets curious and tries to visit it and something nasty happens), I dumped into my appropriately protected browser and I could see it was trying to resolve – an IP address came up in the status bar. Just to clarify, 0x3a669dfa did not have any sort of tail extension.

I then started experimenting with other random combinations such as:


that was trying to resolve to the IP:

All sorts of similar length number and letter combinations input directly into my browser address bar and without a tail extension attempted to resolve to various IP addresses, so I’m assuming that the phishing email combination resolves to an IP hosting a live phishing site – I didn’t hang around long enough to find out.

Can anyone tell me why/how this translation is happening? I’m just very curious about it.


Comments for Curious phishing ploy

No comments yet.

Sorry, the comment form is closed at this time.