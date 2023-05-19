



Google’s recent move to introduce eight new top-level domains to the Internet has raised concerns that two of the additions will benefit online fraudsters who trick people into clicking malicious links. I’m here.

The top-level domain, often abbreviated TLD, is the rightmost segment of the domain name. In the early days of the Internet, it helped classify the purpose, geographic region, or operator of a particular domain. For example, the .com TLD corresponded to sites operated by commercial organizations, .org was used for non-profit organizations, .net for Internet or network entities, and .edu for schools, universities, etc. There are also country codes such as .uk for the UK, .ng for Nigeria, and .fj for Fiji. One of his earliest Internet communities, The WELL, was accessible at www.well.sf.ca.us.

Since then, organizations managing Internet domains have deployed thousands of new TLDs. Two weeks ago, Google added eight new TLDs to the Internet, bringing the total number of TLDs to 1,480, according to the Internet Assigned Numbers Authority, the governing body that oversees DNS roots, IP addressing, and other Internet protocol resources. I was.

Two of Google’s new TLDs, .zip and .mov, have caused contempt in some security circles. Google marketers say their purpose is to tie things together, move them very fast, and designate video and moving things, respectively, but these suffixes mean something entirely different. already widely used to designate Specifically, .zip is the extension used for archive files that use a compression format known as zip. On the other hand, the .mov format usually appears at the end of video files when the video files were created in his Apple’s his QuickTime format.

Many security experts warn that these two TLDs will cause confusion if they appear in emails, social media, etc. The reason is that many sites and software automatically convert strings like “arstechnica.com” or “mastodon.social” into URLs that, when clicked, direct users to the corresponding domain. The concern is that emails and social media posts that reference files such as setup.zip and vacation.mov are automatically converted into clickable links that scammers take advantage of the ambiguity.

“Attackers can easily register domain names that others may use to casually refer to file names,” Randy Pergman, director of threat detection at security firm Proofpoint, said in an email. wrote in an e-mail. The attacker could then use conversations they didn’t even need to start (or participate in) to lure people into clicking or downloading malicious content.

Undo years of anti-phishing and anti-fraud awareness

For example, the scammers who control the photos.zip domain could exploit the decades-old practice of people archiving a series of images inside a zip file and sharing it via email or social media. Rather than rendering photos.zip as plain text before Google’s move, many sites and apps are now converting photos.zip into a clickable domain. A user who appears to be accessing a photo archive of someone they know may be directed to her website created by the scammer.

Scammers can easily set it up to deliver a zip file download every time someone visits the page and include arbitrary content, such as malware, in the zip file,” Pergman said.

Several newly created sites demonstrate what this trick looks like. Among them are setup.zip and steaminstaller.zip, which commonly use domain names to refer to naming conventions for installer files. Especially shocking is clientdocs.zip. This site automatically downloads a bash script that looks like this:

#! /bin/bash echo IAMHAVINGFUNONLINEIAMHAVINGFUNONLINEIAMHAVINGFUNONLINEIAMHAVINGFUNONLINEIAMHAVINGFUNONLINEIAMHAVINGFUNONLINE

It’s not hard to imagine an attacker using this technique in a less comical way.

The advantage for threat actors is that they can register a domain, configure a website to serve malicious content, and allow users to accidentally to passively wait for the link to be created. Pergman writes in it. Links appear more trustworthy because they are within the context of a message or post from a trustworthy sender.

