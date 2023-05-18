



Google offers a new .zip web domain (opens in a new tab) for users who want to know they’re “fast, efficient, and ready to go.” On paper, it sounds pretty good, but the similarities between this domain and the popular zip file format make it one of the easiest ways to trick web users into downloading dangerous files. There is concern that

I can see why you were concerned about the new .zip Top Level Domain (TLD). Assuming you are trying to download the CPU-Z software, you are expected to visit the CPUID website at URL: www.cpuid.com/downloads/cpu-z/cpu-z.2.05-en.zip.

Google’s new .zip TLD allows links that look very similar, but are very dangerous dupes. For example, this link goes nowhere, but you don’t have to try it: www.cpuid.com/downloads/cpu-z∕@cpu-z.2.05-en.zip.

Most web-savvy users will probably notice the illegal @ in there and think twice before clicking on that URL, but they won’t notice the Unicode character U+2215 trying to pretend to be a forward slash. maybe. Saucy.

As security researcher bobbyr points out in a Medium blog post (opens in a new tab), most modern browsers ignore the information before the @ and only listen to the hostname following the @. This means that typing https://[email protected] will direct most browsers to bing.com. Adding a slash before the @ in the URL actually does the opposite. Using https://google.com/[email protected] will take you to Google.

That’s where the Unicode characters U+2215 and U+2044 come in. These look a lot like forward slashes, but they are different. And they are also supported by hostname. This means that it can create fake URLs that look fairly authentic and send users to dangerous .zip URLs disguised as legitimate downloads. That domain could host a real .zip file containing just about anything, including malware.

It’s a bit complicated, but you can see the potential problems here, especially for those who are not internet savvy or in a hurry.

However, not everyone agrees that this is a new breed of phishing attack. Another of his Microsoft employees, Troy Hunt, creator of HaveIBeenPwned (opens in a new tab), suggests there’s nothing new to worry about here.

Hunt goes back to the argument that, after all, humans are “bad at URLs, TLDs don’t matter.” They suggest that even when presented with a deliberately deceptive address, most people have no idea if the file resembles a .zip file.

“Most people don’t know when a URL that *seems* workable is completely wrong,” says Hunt.

But the point is, this really doesn’t matter much to security researchers. They will almost certainly catch it. The problem is that Internet users are not tech savvy. .zip has become synonymous with file formats, so including it in a web domain feels needlessly confusing.

The guidance provided in the Medium blog post to help users avoid .zip phishing attacks is perfectly valid. Beware of incorrect characters in URLs, domains with @ symbols followed by .zip files, and be careful when downloading files sent by unknown recipients.

In fact, the last one is the best advice for avoiding phishing. Famous companies, services and even scams impersonating acquaintances, he is one of the most dangerous.

You don’t have to tell me this, but always be careful what links you click on.

