A recurring lure in phishing emails impersonating United Healthcare is the promise of a free Oral-B toothbrush. But the interesting part isn’t the toothbrush. It’s the link.
Recently we found that these phishers have moved from using Microsoft Azure Blob Storage (links looking like this:
https://{string}.blob.core.windows.net/{same string}/1.html
to links obfuscated by using an IPv6-mapped IPv4 address to hide the IP in a way that looks confusing but is still perfectly valid and routable. For example:
http://[::ffff:5111:8e14]/
In URLs, putting an IP in square brackets means it’s an IPv6 literal. So [::ffff:5111:8e14] is treated as an IPv6 address.
::ffff:x:y is a standard form called an IPv4-mapped IPv6 address, used to represent an IPv4 address inside IPv6 notation. The last 32 bits (the x:y part) encode the IPv4 address.
So we need to convert 5111:8e14 to an IPv4 address. 5111 and 8e14 are hexadecimal numbers. In theory that means:
- 0x5111 in decimal = 20753
- 0x8e14 in decimal = 36372
But for IPv4-mapped addresses we really treat that last 32 bits as four bytes. If we unpack 0x51 0x11 0x8e 0x14:
- 0x51 = 81
- 0x11 = 17
- 0x8e = 142
- 0x14 = 20
So, the IPv4 address this URL leads to is 81.17.142.20
The emails are variations on a bogus reward from scammers pretending to be United Healthcare that uses a premium Oral‑B iO toothbrush as bait. Victims are sent to a fast‑rotating landing page where the likely endgame is the collection of personally identifiable information (PII) and card data under the guise of confirming eligibility or paying a small shipping fee.
How to stay safe
What to do if you entered your details
If you submitted your card details:
- Contact your bank or card issuer immediately and cancel the card
- Dispute any unauthorized charges
- Don’t wait for fraud to appear. Stolen card data is often used quickly
- Change passwords for accounts linked to the email address you provided
- Run a full scan with a reputable security product
Other ways to stay safe:
- Keep your device and software up to date
- Use an up-to-date, real-time anti-malware solution with web protection enabled
- If you’re unsure whether something is a scam, Malwarebytes users can submit suspicious messages to Scam Guard for review
Indicators of Compromise (IOCs)
81.17.142.40
15.204.145.84
redirectingherenow[.]com
redirectofferid[.]pro
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.