Security Response

Spamming with dotted decimal URL (a dotted decimal URL refers to the four-byte IP address notation as a sequence of four decimal numbers separated by dots) is one of the most often seen URL-obfuscation techniques employed by spammers. Unfortunately, to the computer, an IP address is just a 32-bit binary number, and a dotted decimal is just one out of the many numeral systems for IP address expression. With this flexibility in interpretation, spammers have developed a new way to obfuscate their URLs; they start converting their dotted decimal URLs into different numeral systems.

Below are some of the IP address numeral system obfuscation techniques Symantec has observed of spammers. (All of the samples below are just different numeral representations of the IP address for Symantec.com)

An IP address converted to hexadecimal format. (Hexadecimal is a base-16 numeral system.)

• http://0xD80C9114

An IP address...

Fake e-card pickup notices are typically used to deliver malware; however, in the past several weeks Symantec has noticed a series of online pharmacy attacks employing the same strategy. To pick up an e-card, the recipient must click on a link in the message. These links take you to the e-card site and display your card. As with an e-card malware attack, the spammer has replaced this link with one of their cleverly crafted URL traps.

The observed messages appear as if they were sent from some of the more well known online greeting card service providers. However, unlike any legitimate e-card pickup notices, the link will redirect you to an online pharmacy site selling their wares at discount prices.

Here is what the message looks like in an inbox:

A legitimate e-card collection notice will usually provide the name or...