Phishers hide scam links with IPv6 trick in 'free toothbrush' emails
A recurring phishing scheme impersonates United Healthcare, offering a free Oral-B toothbrush as bait. The scammers have evolved their tactics, now using IPv6-mapped IPv4 addresses to obfuscate links in emails. This technique makes the IP addresses appear confusing while remaining valid and routable. The phishing emails direct victims to fast-rotating landing pages, likely aiming to collect personal information and card data under the guise of confirming eligibility or paying for shipping. The article provides technical details on how the IPv6 trick works and offers advice on staying safe, including steps to take if personal information has been compromised.
AI Analysis
Technical Summary
This phishing campaign targets users by impersonating United Healthcare and enticing them with a free Oral-B toothbrush offer. The attackers have advanced their evasion techniques by embedding scam links using IPv6-mapped IPv4 addresses within the emails. This IPv6 trick involves representing IPv4 addresses in IPv6 format, which appears confusing but remains valid and routable, thereby bypassing some traditional detection mechanisms that focus on standard IPv4 or domain-based filtering. The phishing emails contain links that redirect victims to fast-rotating landing pages hosted on domains such as redirectingherenow.com and redirectofferid.pro, which are designed to harvest personally identifiable information (PII) and payment card data. The attackers likely use these rotating pages to avoid blacklisting and to prolong the campaign's effectiveness. The campaign leverages social engineering by requesting users to confirm eligibility or pay a nominal shipping fee, increasing the likelihood of victim compliance. Indicators of compromise include specific IP addresses (15.204.145.84, 81.17.142.40) and the aforementioned domains. The campaign is categorized under multiple MITRE ATT&CK techniques, including phishing (T1566), spearphishing via service (T1583.001), and user execution (T1204.001). There are no known exploits targeting software vulnerabilities; the threat is primarily based on deception and obfuscation. The campaign's medium severity reflects the moderate impact potential and the relative ease of exploitation through user interaction.
Potential Impact
The primary impact of this phishing campaign is the theft of sensitive personal and financial information, which can lead to identity theft, financial fraud, and unauthorized transactions. Organizations may face reputational damage if their brand is impersonated, as in this case with United Healthcare. Employees or customers falling victim could result in data breaches or financial losses. The use of IPv6-mapped IPv4 addresses complicates detection and mitigation efforts, potentially increasing the success rate of the scam. Fast-rotating landing pages reduce the effectiveness of blacklists and delay incident response. The campaign could also increase the workload on security teams due to the need for enhanced monitoring and user education. While no direct system compromise occurs, the indirect consequences of compromised credentials and stolen PII can be severe, including regulatory penalties and loss of customer trust.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting obfuscated IPv6-mapped IPv4 addresses and suspicious redirect patterns. 2. Deploy URL rewriting and inspection tools that normalize and analyze IPv6 addresses to identify malicious links. 3. Educate users regularly about phishing tactics, emphasizing skepticism toward unsolicited offers, especially those requesting personal or payment information. 4. Monitor and block known malicious domains and IP addresses associated with this campaign (e.g., redirectingherenow.com, redirectofferid.pro, 15.204.145.84, 81.17.142.40). 5. Use threat intelligence feeds to update detection rules promptly. 6. Encourage multi-factor authentication (MFA) to reduce the impact of credential theft. 7. Conduct phishing simulation exercises to improve user awareness. 8. Establish incident response procedures for suspected phishing incidents, including steps to contain and remediate compromised accounts. 9. Analyze email headers and links carefully to detect IPv6 obfuscation techniques. 10. Collaborate with ISPs and domain registrars to take down malicious infrastructure swiftly.
Affected Countries
United States, Canada, United Kingdom, Australia, Germany, France, Netherlands, India, Brazil, South Africa
Indicators of Compromise
- ip: 15.204.145.84
- ip: 81.17.142.40
- domain: redirectingherenow.com
- domain: redirectofferid.pro
Phishers hide scam links with IPv6 trick in 'free toothbrush' emails
Description
A recurring phishing scheme impersonates United Healthcare, offering a free Oral-B toothbrush as bait. The scammers have evolved their tactics, now using IPv6-mapped IPv4 addresses to obfuscate links in emails. This technique makes the IP addresses appear confusing while remaining valid and routable. The phishing emails direct victims to fast-rotating landing pages, likely aiming to collect personal information and card data under the guise of confirming eligibility or paying for shipping. The article provides technical details on how the IPv6 trick works and offers advice on staying safe, including steps to take if personal information has been compromised.
AI-Powered Analysis
Technical Analysis
This phishing campaign targets users by impersonating United Healthcare and enticing them with a free Oral-B toothbrush offer. The attackers have advanced their evasion techniques by embedding scam links using IPv6-mapped IPv4 addresses within the emails. This IPv6 trick involves representing IPv4 addresses in IPv6 format, which appears confusing but remains valid and routable, thereby bypassing some traditional detection mechanisms that focus on standard IPv4 or domain-based filtering. The phishing emails contain links that redirect victims to fast-rotating landing pages hosted on domains such as redirectingherenow.com and redirectofferid.pro, which are designed to harvest personally identifiable information (PII) and payment card data. The attackers likely use these rotating pages to avoid blacklisting and to prolong the campaign's effectiveness. The campaign leverages social engineering by requesting users to confirm eligibility or pay a nominal shipping fee, increasing the likelihood of victim compliance. Indicators of compromise include specific IP addresses (15.204.145.84, 81.17.142.40) and the aforementioned domains. The campaign is categorized under multiple MITRE ATT&CK techniques, including phishing (T1566), spearphishing via service (T1583.001), and user execution (T1204.001). There are no known exploits targeting software vulnerabilities; the threat is primarily based on deception and obfuscation. The campaign's medium severity reflects the moderate impact potential and the relative ease of exploitation through user interaction.
Potential Impact
The primary impact of this phishing campaign is the theft of sensitive personal and financial information, which can lead to identity theft, financial fraud, and unauthorized transactions. Organizations may face reputational damage if their brand is impersonated, as in this case with United Healthcare. Employees or customers falling victim could result in data breaches or financial losses. The use of IPv6-mapped IPv4 addresses complicates detection and mitigation efforts, potentially increasing the success rate of the scam. Fast-rotating landing pages reduce the effectiveness of blacklists and delay incident response. The campaign could also increase the workload on security teams due to the need for enhanced monitoring and user education. While no direct system compromise occurs, the indirect consequences of compromised credentials and stolen PII can be severe, including regulatory penalties and loss of customer trust.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting obfuscated IPv6-mapped IPv4 addresses and suspicious redirect patterns. 2. Deploy URL rewriting and inspection tools that normalize and analyze IPv6 addresses to identify malicious links. 3. Educate users regularly about phishing tactics, emphasizing skepticism toward unsolicited offers, especially those requesting personal or payment information. 4. Monitor and block known malicious domains and IP addresses associated with this campaign (e.g., redirectingherenow.com, redirectofferid.pro, 15.204.145.84, 81.17.142.40). 5. Use threat intelligence feeds to update detection rules promptly. 6. Encourage multi-factor authentication (MFA) to reduce the impact of credential theft. 7. Conduct phishing simulation exercises to improve user awareness. 8. Establish incident response procedures for suspected phishing incidents, including steps to contain and remediate compromised accounts. 9. Analyze email headers and links carefully to detect IPv6 obfuscation techniques. 10. Collaborate with ISPs and domain registrars to take down malicious infrastructure swiftly.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.malwarebytes.com/blog/scams/2026/03/phishers-hide-scam-links-with-ipv6-trick-in-free-toothbrush-emails"]
- Adversary
- null
- Pulse Id
- 69b7da2d8e7e63b7e768049a
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip15.204.145.84 | — | |
ip81.17.142.40 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainredirectingherenow.com | — | |
domainredirectofferid.pro | — |
Threat ID: 69b7dcda9d4df451834d1c52
Added to database: 3/16/2026, 10:35:06 AM
Last enriched: 3/16/2026, 10:50:19 AM
Last updated: 3/16/2026, 9:36:57 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.