The Hexadecimal URL Obfuscation Resurgence

For that past several days, Symantec has observed an increase in spam messages containing hexadecimal obfuscated URLs. Hexadecimal character codes are simply the hexadecimal number to letter representation for the ASCII character set. To a computer, hexadecimal is just one out of the many systems for address expressions on the Internet.

The following samples are different hexadecimal representations for

Hexadecimal only:


Hexadecimal and ASCII characters:   

(“http” and “com” are in ASCII characters and the rest of the URL is in hexadecimal)


(“http://www” is in hexadecimal and the rest of the URL is in ASCII characters)

Symantec has observed several hexadecimal URL obfuscation techniques used by spammers.

Hexadecimal resurgence 1.png

Figure 1. Spam email using hexadecimal URL obfuscation techniques

Hexadecimal resurgence 2.png

Figure 2. Source code of spam email (Figure 1.) using hexadecimal URL obfuscation techniques

Hexadecimal URL obfuscation is not a new spamming technique. The technique is used to evade anti-spam filters because anti-spam engines are sensitive to every single character in a message body. With the recent spike in hexadecimal spam volumes, Symantec will continue to monitor these attacks and will react accordingly.

Secret Bitcoin mining code added to e-sports software sparks outrage

Competitive video gaming community E-Sports Entertainment Association secretly updated its client software with Bitcoin-mining code that tapped players' computers to mint more than $3,600 worth of the digital currency, one of its top officials said Wednesday.

The admission by co-founder and league administrator Eric ‘lpkane’ Thunberg came amid complaints from users that their ESEA-supplied software was generating antivirus warnings, computer crashes, and other problems. On Tuesday, one user reported usage of his power-hungry graphics processor was hovering in the 90-percent range even when his PC was idle. In addition to consuming electricity, the unauthorized Bitcoin code could have placed undue strain on the user's hardware since the mining process causes GPUs to run at high temperatures.

"Turns out for the past 2 days, my computer has been farming bitcoins for someone in the esea community," the person with the screen name ENJOY ESEA SHEEP wrote. "Luckily I have family in the software forensics industry."

Read 9 remaining paragraphs | Comments

Thank you for not viewing: “Hidden” display ads hurt Web ad networks

A 3-D representation of a webpage used to deliver "invisible" display ads, with stacked ad spaces that visitors never see. Pages like these get stuffed into small ad slots in legitimate websites through ad networks.

There's more than one way to fleece people using Web advertising. Botnets have been harnessed to generate fake clicks by injecting fake links into search results and to click randomly on webpages the infected computer's user never sees. But fraudsters are starting to get more sophisticated in their efforts to get rich off Web advertising.

As Dr. Douglas de Jager, CEO of, reported in a blog post today, fraudulent advertising networks are now acting as middlemen between advertising networks placing Web display ads and those stuffing whole hidden webpages of ads into ad slots on legitimate sites. Instead of using bots, this sort of ad fraud uses real humans to generate the traffic—but it never actually shows them the ads that are served up to them.

Display advertising fraud targets ads that are paid for by pageview rather than by click. The use of real-time bidding to auction ad space on websites through exchanges such as Google's DoubleClick Ad Exchange and Microsoft's AdECN has made it possible for fraudulent ad traders to purchase an ad slot through one exchange and then sell it multiple times across others. They "fulfill" all those ads by putting them onto a webpage that gets served up within an ad slot on a legitimate site—with most of its ads hidden from view.

Read 3 remaining paragraphs | Comments

Spyware used by governments poses as Firefox, and Mozilla is angry

That's not the real Firefox, either.

Mozilla has sent a cease-and-desist letter to a company that sells spyware allegedly disguised as the Firefox browser to governments. The action follows a report by Citizen Lab, which identifies 36 countries (including the US) hosting command and control servers for FinFisher, a type of surveillance software. Also known as FinSpy, the software is sold by UK-based Gamma International to governments, which use it in criminal investigations and allegedly for spying on dissidents.

Mozilla revealed yesterday in its blog that it has sent the cease and desist letter to Gamma "demanding that these illegal practices stop immediately." Gamma's software is "designed to trick people into thinking it's Mozilla Firefox," Mozilla noted. (Mozilla declined to provide a copy of the cease and desist letter to Ars.)

The spyware doesn't infect Firefox itself, so a victim's browser isn't at risk. But the spyware "uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion" and is "used by Gamma’s customers to violate citizens’ human rights and online privacy," Mozilla said. Mozilla continues:

Read 4 remaining paragraphs | Comments