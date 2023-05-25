



Two new top-level domain names, .zip and .mov, are causing concern among security researchers, allowing the construction of malicious URLs that even tech-savvy users are likely to miss. claims.

Google announced these domains in early May, and criticism from the security community began to mount slowly as people became aware of the problem. In a widely circulated post on Medium, security researcher Bobby Rauch wrote that two seemingly identical URLs were used to download a zip file from a GitHub repository with Unicode slashes, the “@” symbol, and I just pointed out that using .zip seems to access the same location. When visiting the domain, a malicious URL could redirect the user to the attacker’s website.

Top-level domains (TLDs) that mimic file extensions are just one component of similar attacks, but the combined effect of .zip or .mov extensions is much higher overall, provider DomainTools said. security evangelist Tim Helming. Domain-related threat intelligence.

“There is no question that phishing links involving these TLDs could be used to lure unsuspecting users into accidentally downloading malware,” he said. “Unlike other types of phishing URLs that aim to lure users into entering their credentials into a fake login page, lure using a .zip or .mov domain is a drive-by of his download type. It’s better suited for attacks.”

Three weeks after Google announced new domains in addition to .dad, .phd and .foo, security researchers pointed out the dangers of TLDs matching file extensions. For example, on Tuesday, Trend Micro became the latest security company to warn users to tweak its ability to uncover malicious links. In its advisory, the company said Vidar information thieves were using fake URLs to download “Zoom.zip” files to victims’ computers, and that the .zip domain made the attack more effective. pointed out.

Google did not answer questions about the risk-benefit trade-offs of the new TLDs, but sent a statement to Dark Reading, arguing that the issue is not new, such as 3M’s command.com domain. You mentioned other confusing domains.

“The risk of confusion between domain names and file names is nothing new,” the company said. “Applications have mitigations for this, such as Google Safe Browsing, and these mitigations also apply to TLDs such as .zip. It expands the opportunities.”

While some still question whether the new domains will improve phishing, the risks of creating more effective links seem to outweigh the benefits of the domains, said security at phishing and security education firm KnowBe4. Awareness champion Erich Kron said:

“It’s like, ‘Why are you doing this? ‘ It kind of bothers me, and frankly, it’s just a bad idea, right?” “Malicious actors have long used .zip and compressed files to get people to download malware and create top-level domains that the public will associate with. [legitimate files] …we’re actually opening the door to a very simple trick here. “

No active phishing attacks so far

Domain names have already caused some mistakes, not just on the human side. According to Johannes Ulrich, director of research at the educational institution SANS Technology Institute, some tools, such as Google’s own malware identification service VirusTotal, confuse file names with the extension .zip and URLs with the TLD.zip extension. It says. Ulrich is investigating existing .zip domains to see which ones are malicious.

He found evidence of field activity was scant so far. “This opens up new avenues for more convincing phishing attacks,” Ulrich said, adding, “But there are already many ways to craft a convincing phishing attack, so the risk is It will increase,” he warned.

The good news is that attackers have yet to en masse use this technique in real-world attacks, Trend Micro said in its advisory.

“As of today, Trend Micro has not yet received URLs related to these new TLDs from internal or customer cases,” the company said. “However, we will continue to monitor related URLs we encounter and block them as necessary in case of potential phishing campaigns.”

To date, the biggest “attacks” to date include “rickrolling” and domain parking, Ulrich said. At least 48 domains have been registered by people who have posted videos of singer Rick Astley and his song “Never Gonna Give You Up.” . “

Awareness and Security Best Practices Remain Top Advice

By creating domain names that resemble file extensions, Google and other browser makers have introduced warnings in their software that domains use special Unicode characters, such as two characters that look like a slash (/). may now warn the user if Confused with the canonical URL.

But much is still user-dependent, users need to be careful checking links, and companies may be able to restrict new domain names until a cybersecurity provider assigns them a rating, said DomainTools’ Helming. says.

“While there are ways for a very savvy user to visually locate these file paths, the most effective defenses are detection of security controls against these characters, etc., risk scoring of newly created domains, etc. It will combine the efforts of ,” he added. With every his TLD and updated user awareness training. “

Reported by Jaikumar Vijayan

