Recently Google introduced eight new Top-Level Domains (.dad, .esq, .prof, .phd, .nexus, .foo, .mov, and .zip) to the general public. Even if it is true that some of those domains have existed since 2014, they weren’t available for anyone to buy. But what seems to be the problem? TLDs are the letters that come after the dot at the end of the domain name:
- microsoft.com
- wikipedia.org
- mycompanyname.zip
File extensions, on the other hand, are the letters that come after the dot at the end of a file name:
- microsoft.docx
- wikipedia.pptx
- mycompanyname.zip
Do you see the problem? TLDs that collide with common and very popular file extensions are particularly problematic and difficult to spot, even for security experts, now give it a try to an average user and see what happens. In particular, the .zip and .mov TLDs are going to increase the likelihood of success for phishing attack vectors; some of those vectors are explored in this article; however, “The worst is yet to come”, so be prepared because you have one more thing to be careful about.
Attack Vectors
1. Linkify
Now that .zip is a valid TLD, multiple online services and platforms are going to convert text automatically that should be filenames into URLs. This is particularly problematic because messages intended to be, for example, instructions on filling and uploading a form could become a threat, even if the author’s intention wasn’t to cause harm or attack the final user. Example:
In this example, none of the users is evil; it’s a standard and not malicious communication; however, It’s pretty obvious (at least to me) that some users may get confused by the link in the filename and could end up clicking the URL.
Of course, many malicious users rush to buy new and interesting domain names (Just for the future, you know); at the time of writing, there are more than 5,000 zip domains registered; some domains are report2023[.]zip, e-mails[.]zip, payment-statement[.]zip, chromeupdatex64[.]zip, attachment[.]zip, zoom-installer[.]zip, winrar-installer[.]zip (How dare you!!) and many, many more, so you probably can notice now how “passive-phishing” is now a thing.
2. Userinfo Delimiter & Unicode Characters
Bobby Rauch published an excellent article (Read it, seriously) on how to create convincing phishing links using Unicode characters and the userinfo delimiter (@) in URLs. In summary, the article shows how you can abuse Unicode characters that are very much like the slash character and the @ to create an incredibly hard-to-spot URL for phishing. Example:
Fake: https://mycompanyname.com∕reports∕2023∕@report2023.zip
Real: https://mycompanyname.com/reports/2023/report2023.zip
Depending on which URL you click, you may download report2023.zip from mycompanyname[.]com or navigate to report2023[.]zip. This technique is not new by any means; however, it is the use of zip domains that makes the attack more credible and difficult for legitimate users to detect such scams.
3. User Error
Most phishing attacks rely on user error; you may have seen this multiple times, emails/messages coming from very suspicious domains. One simple example is “officeupdate[.]zip”, a domain registered by our good friends at vx-underground.
Of course, geeks like me are aware that officeupdate[.]zip is both a valid filename and an internet domain; however, most users are not geeks and should not be. So, now be prepared to receive emails with instructions to install, update, or download, a program by copy-paste filename[.]zip in your browser, it is easy to see how this could be a risk, and it may lead to new and interesting phishing sites, it offers new and very creative opportunities to distribute malware.
What Can I Do About It?
First, and even if it’s a never-ending task, you should educate people to understand, identify, and avoid cyber threats. I have given a lot of security awareness corporate training in almost every economic sector that you can imagine, and you would be surprised by the number of basic technology concepts unknown to the average user, now let alone security hygiene or how to take care of his online activity.
On the technological end, you can defend yourself and your organization just by blocking the entire TLD; that’s it; as simple as it sounds, you can block all the zip domains on your firewall, DNS, or whatever piece of infrastructure you have at hand. Even if the TLD is legit, as of today, you are not going to lose much; no big names are using a zip domain exclusively, and blocking them from your organization, hopefully, will help to discourage attackers; but, to be honest, this is not going to die any time soon, and at least the next coming months are going to become The PishingFest.
PD: I’m the proud owner of https://mycompanyname.zip (Just for educational purposes). Go visit it.
PD2: On May 30, 2023, Whatsapp started to Linkify zip domains automatically; good luck with that!
