Security professionals warn that Google’s new top-level domains, .zip and .mov, pose social engineering risks while providing little reason for their existence.
Google released its new TLDs in early May, which are intended to provide better representation for certain areas. However, two TLDs, .zip and .mov, pose a security risk because they are file extensions; some websites will automatically convert a string ending in “.zip” into a clickable link. Attackers can exploit this to carry out phishing schemes and distribute malware.
How it happens?Google’s New ZIP Domain
Attackers may use social engineering to persuade users to click it if a website can convert malicious[.]zip to a link. Once a user clicks on the link, their browser will try to open the https://malicious[.]zip site. The site may redirect users to a phishing page or prompt them to download malware.
Mr.d0x, a security researcher, has published the “File Archivers in the Browser”phishing toolkit that demonstrates these attacks on Github. The kit has two samples built by researchers to emulate the WinRAR file archiver software and the Windows 11 File Explorer window in the browser.
Attackers can use the toolkit or the same method to create fake WinRAR and File Explorer windows that will appear on ZIP domains to trick users into thinking they have opened a .zip file.
While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension, says Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence.
The creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software, alerting users when a domain uses special unicode characters — such as two characters that appear to be slashes (/) — and which could be confused for legitimate URLs.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment