The two new top-level domain names .zip and .mov, announced by Google in early May, have caused concern among security researchers, who say that they allow for the construction of malicious URLs that could deceive even the most tech-savvy users. In a post on Medium, security researcher Bobby Rauch pointed to two seemingly identical URLs that appear to go to the same place – in this case downloading a zip file from a GitHub repository – but by using Unicode slashes, an “@” sign, and the .zip domain, a potentially malicious URL could redirect users to an attacker’s website.
Although top-level domains (TLDs) that mimic file extensions are one component in lookalike attacks, the overall combination is much more effective with the .zip or .mov extension, according to Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence. Helming said: “There’s no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware. Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks.”
Security researchers have been pointing out the dangers of TLDs that match file extensions since the domains were launched. This week, Trend Micro became the latest security company to warn users to be able to recognise malicious links. In one advisory, the firm pointed out that the Vidar info-stealer uses fake URLs to download a “Zoom.zip” file to the victim’s computer, and that the .zip domain will make the attack far more effective.
Google did not answer questions about the trade-offs between risk and utility for the new TLDs but did send a statement to Dark Reading, pointing to other confusing domains, such as 3M’s command.com domain, as an argument that the issue is not novel. “The risk of confusion between domain names and file names is not a new one,” the company stated. “Applications have mitigations for this, such as Google Safe Browsing, and these mitigations will hold true for TLDs such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip.”
However, Eric Kron, security awareness advocate at phishing and security education firm KnowBe4, argued that the risk of making more effective malicious links seems to outweigh any benefit of the domains. Kron said: “It’s the ‘why are we doing this?’ that kind of gets me, and frankly, it’s just a bad idea, right? Bad actors have been using .zip files and compressed files to get people to download malware for eons, and then to make a top-level domain that the general public is going to associate with [legitimate files]…we are really opening the doors to some very easy trickery here.”
While the creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software and alert users when a domain uses special Unicode characters, such as two characters that appear to be slashes (/), that could be confused for legitimate URLs, much will still rely on users and companies to be careful on checking links. DomainTools’ Helming added: “There are ways for very savvy users to spot these file paths visually, but the most effective defences are going to be a combination of efforts that include security control detections for things like those characters, risk scoring for newly created domains in any TLD, and updated user awareness training.”