Phishing emails impersonating United Healthcare promise a free Oral‑B toothbrush to lure recipients to malicious landing pages that harvest PII and payment card data. Attackers have moved from Azure Blob Storage links to obfuscated IPv6‑mapped IPv4 URLs (e.g., http://[::ffff:5111:8e14]/ → 81.17.142.20) and use domains such as redirectingherenow[.]com and redirectofferid[.]pro. #UnitedHealthcare #OralB
Keypoints
- Scammers impersonate United Healthcare and offer a premium Oral‑B toothbrush as bait in phishing emails to prompt clicks on malicious links.
- Attackers previously used Microsoft Azure Blob Storage links but have shifted to obfuscating IP addresses using IPv6‑mapped IPv4 notation (e.g., [::ffff:5111:8e14]).
- The IPv6‑mapped notation encodes the IPv4 address in the last 32 bits; 0x51 0x11 0x8e 0x14 converts to 81.17.142.20.
- Victims are directed to fast‑rotating landing pages likely designed to collect personally identifiable information (PII) and card details under the guise of confirming eligibility or paying shipping fees.
- Known IOCs tied to these campaigns include IP addresses (e.g., 81.17.142.40, 15.204.145.84) and malicious domains (redirectingherenow[.]com, redirectofferid[.]pro).
- Recommended actions if you submitted payment details: contact your bank immediately, cancel the card, dispute charges, change linked passwords, and run a full security scan.
MITRE Techniques
- None – The article does not mention any MITRE ATT&CK technique names or IDs (‘No MITRE ATT&CK techniques are mentioned in the article.’)
Indicators of Compromise
- [IP Address ] phishing/landing pages – 81.17.142.40, 15.204.145.84 (the article also derives 81.17.142.20 from the IPv6‑mapped literal)
- [Domain ] redirectors used in campaign – redirectingherenow[.]com, redirectofferid[.]pro
- [File name ] landing page example – 1.html (used in Azure Blob Storage links such as https://{string}.blob.core.windows.net/{same string}/1.html)