eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address, (Fri, Jun 19th)

eBanking Phishing Delivered Through IPv4-Mapped IPv6 Address Published: 2026-06-19. Last Updated: 2026-06-19 07:05:36 UTC by Xavier Mertens (Version: 1) 0 comment(s) I detected an interesting phishing email this morning. It targets a major Belgian bank: The phishing in itself is a classic one, not relevant but the malicious link is interesting: hxxp://[::ffff:5511:74be]/kWC5PHA1 The technique used by the attacker is to bypass simple security controls trying to extract domain names and IP addresses via simple regular expressions. The notation “[…]” tells the URL parser that what's inside is a literal IPv6 address. But it’s not a real IPv6 address. What’s the magic? The started “::” in the address means that it can be expanded to this address: 0000:0000:0000:0000:0000:ffff:5511:74be The trick is the fifth group (::ffff:) means that we are facing a IPv5-mapped IPv6 address. This is defined in RFC 4291[1]: In the URL above, the two trailing 16-bit hex groups “5511” and “74be” are just the four IPv4 octets written in hex. Hex Dec 0x55 85 0x11 17 0x74 116 0xBE 190 The real URL is therefore: hxxp://85[.]17[.]116[.]190/kWC5PHA1 Another good news from the attacker’s point of view, there is no DNS record! When visited, this URL redirects to another link where the real phishing kit is hosted: hxxps://3439-aanmelden[.]verificatie[.]qzz[.]io/mon-belfius [1] https://www.rfc-editor.org/info/rfc4291/ Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant PGP Key Keywords: Phishing RFC4291 Mapping IPv6 IPv4 0 comment(s)