IPv6 Obfuscation Tactics in Healthcare Phishing: Analyzing the "Free Toothbrush" Campaign
Executive Summary
A sophisticated phishing campaign targeting United Healthcare beneficiaries has recently resurfaced, utilizing a deceptive lure involving a premium Oral-B toothbrush to harvest sensitive Personally Identifiable Information (PII) and credit card details. What distinguishes this campaign from previous iterations is the use of IPv6-mapped IPv4 addresses to obfuscate malicious destination URLs. By replacing standard domain names with IPv6 literals—specifically using the ::ffff: notation—threat actors are evading basic link scanners and confusing analysts attempting to trace the traffic. SecLookup is actively monitoring this threat and has successfully identified and blocked the associated infrastructure. This post details the technical mechanisms of this evasion technique, the indicators of compromise (IOCs), and defensive recommendations for SOC teams and end-users.
Threat Analysis
The Lure: Baiting and Impersonation
The campaign leverages T1566.001 (Phishing: Spearphishing Link) by impersonating a trusted entity, United Healthcare. The lure, a "premium Oral-B iO toothbrush," is a classic example of T1566.002 (Spearphishing Link with File Attachment), relying on the psychological principle of "Baiting" (offering something desirable for free to gain access to a system or network). This technique lowers the victim's guard, making them more likely to overlook security warnings.
The Evasion: IPv6-Mapped Addressing
Traditionally, phishers have relied on Azure Blob Storage or obfuscated domains. This campaign has pivoted to a more technical evasion method: IPv6-mapped IPv4 addresses.
In the provided examples, malicious links previously looked like standard URLs pointing to Azure storage. Now, they utilize the format http://[::ffff:5111:8e14]/. To the untrained eye, this looks like a valid URL, but the brackets [...] indicate an IPv6 literal. The ::ffff: prefix is a standard mechanism used in IPv6 to represent IPv4 addresses within the IPv6 address space.
Technical Breakdown
The threat actor converts an IPv4 address into an IPv6 format to hide the underlying destination IP. Let's analyze the hex string 5111:8e14 provided in the example:
Hexadecimal Conversion: The string is split into two 16-bit segments:
5111and8e14.Byte Unpacking: The last 32 bits (the x:y part) are treated as four bytes.
0x51= 81 (Decimal)0x11= 17 (Decimal)0x8e= 142 (Decimal)0x14= 20 (Decimal)
Final IP: This results in the IPv4 address 81.17.142.20.
By routing traffic through this IPv6 mapping, the attackers obscure the IP address from basic URL inspection tools and some web proxies, forcing analysts to perform manual hex-to-decimal conversions to identify the malicious server.
The Infrastructure
The victims are directed to fast-rotating landing pages. The ultimate goal is not the toothbrush but the theft of credit card information under the guise of paying a "shipping fee" or confirming eligibility. Once the victim submits their card details, the data is transmitted to a backend server controlled by the threat actor.
MITRE ATT&CK Reference
T1566.001: Phishing: Spearphishing Link
T1071.001: Application Layer Protocol: Web Traffic
T1548.001: Abuse Elevation Control Mechanism: SIDHijack (Potential) / Proxy (Mapping IPv6 to bypass restrictions)
Indicators of Compromise (IOCs)
SecLookup's threat intelligence platform has identified the following malicious infrastructure associated with this campaign. These indicators should be blocked immediately in network firewalls and email security gateways.
Domains
redirectofferid[.]pro
IP Addresses
81.17.142.20
15.204.145.84
81.17.142.40
Malicious URL Pattern
http://[::ffff:5111:8e14]/
(Note: The hex string 5111:8e14 can be converted to the IP 81.17.142.20 as detailed above. Similar patterns using different hex values will map to other IPs in the attacker's infrastructure.)
SecLookup Detection
SecLookup is actively detecting and blocking this threat. Our threat intelligence platform has updated our blocking lists to include the malicious domain redirectofferid[.]pro and the associated IP addresses 81.17.142.20, 15.204.145.84, and 81.17.142.40.
Recommendations
For Security Teams
Update Blocking Rules: Ensure your email security gateway (ESG) and next-generation firewall (NGFW) include the IPs listed in the IOCs section.
Monitor for IPv6 Literals: Configure SIEM alerts to flag for unusual URL patterns containing square brackets
[]or the::ffff:prefix, as these are indicators of this specific obfuscation technique.Domain Reputation: Block the domain
redirectofferid[.]proimmediately.
For End-Users
Verify the Source: Always check the sender's email address carefully. Scammers often use slight misspellings or variations of legitimate domains (e.g.,
united-healthcare-support[.]cominstead ofunitedhealthcare[.]com).Hover Before Clicking: Before clicking a link, hover your mouse over it to see the actual destination URL. If you see a long string of characters that doesn't match the sender's domain, do not click.
Do Not Pay Fees: If you receive a message claiming you need to pay a small shipping fee for a "free" item, it is a scam. Legitimate companies do not require payment to ship free gifts.
Immediate Action if Compromised:
Contact your bank or credit card issuer immediately to cancel the card.
Dispute any unauthorized charges.
Run a full system scan with a reputable security product.
References
- Phishers hide scam links with IPv6 trick in “free toothbrush” emails by Malwarebytes Labs, Malwarebytes Labs
