Rumming through my spam e-mails tonight, I saw a PayPal phishing scam. It was obvious enough but I often look at the URL they present because, if it’s a Geocities or similiar account I try to report it. Anyway, the fake URL they gave was:
This is a IP address address in numeric form. The “0x” indicates the number is hex. Each pair of symbols corresponds to one of the numbers between the dots (as IP addresses are normally written).
So,
hex db = dec 219
hex 91 = dec 145
hex 82 = dec 130
hex 7a = dec 122
The IP address is 219.145.130.122 which is owned by China Telecom. For obvious reasons, I won’t list the complete URL.
This encoding will not work in all browsers. I tried it in Safari and it didin’t work. Interestingly, Firefox (Mac) automatically went to a page on DSL reports and told we this was a URL used for phishing. I didn’t know Firefox did this. Well done Firefox!
Let me correct serveral errors in my last paragraph:
This encoding will not work in all browsers. I tried it in Safari and I got a message that Safari “can’t find the server ‘0xdb91827a’”. Interestingly, Firefox (Mac) automatically redirected to a page on DSL reports which indicated that this was a URL used for phishing. I didn’t know Firefox did this. Well done Firefox!
Not to say Firefox doesn’t deserve praise, but are you sure this specific behavior isn’t due to Google? Firefox by default performs a Google “I’m feeling lucky” search whenever it encounters a URL it can’t handle, and 0xdb91827a on Google leads right to the dslreports page. So maybe Google, as the Omniscient Overlord of All Human Knowledge, is to thank here?
Funny, when I try it in Firefox (version 1.5.0.3) I get a 404 Error. When I go to h++p://0xdb91827a I just get the standard “Test Page for Apache” message that says:
Most likely the phishers sent the email, had the fake site up, caught some phishees and moved on so as to not get caught. If you go to http://219.145.130.122 (the de-coded URL) in any browser (I did it in IE) you’ll see the Apache test message, meaning whoever was there before ain’t there no more.