Earlier this month, Google released 8 new top-level domains – the bits at the end of a website address such as .com, .org, .ca, and so on – and cybersecurity researchers are not happy.
That’s because two of the top-level domains share their name with common file type extensions: .zip and .mov.
As the researchers indicated, criminal hackers could exploit the way web addresses are displayed on emails, web posts, and File Explorer to launch phishing attacks and malware campaigns.
The new domains, which also include .dad. .esq, .prof, .phd, .nexus, and .foo, were made available for public registrations via any domain registrar on May 10, and there have already been signs that that they are being used maliciously.
Why is this a problem?
The problem relates to the way software reads and understands text that appears to be a top-level domain. In many cases, any string of text with a period in it will be displayed as a hyperlink, and clicking it will direct the user to a web page.
In many cases, that link will be a dead end, because it’s not a genuine domain, but in other cases users will open a genuine webpage.
However, web addresses are not the only thing that periods are used for. They’re also used in file names, and two of the most common – at least when transferring files online – are .zip, which compresses large files into smaller packages that can then be opened, and .mov, which is a type of video file.
Because .zip and .mov are now valid top-level domains, some platforms will convert any string of text referring to a file into a valid URL.
Cyber criminals, having spotted the potential for confusion, have started squatting on domains that could be mistaken for files.
In one example, discovered by the cyber intelligence film Silent Push Labs, fraudsters purchased the domain ‘microsoft-office.zip’.
A confused user might find the page after attempting to download the Microsoft Office suite. If they follow the instructions on the page, they will hand their login credentials to the criminal operating the website.
Another example demonstrates the way people can inadvertently lay traps for people. Say, for instance, a family member has just come back from vacation and emails you the photos they took while they were away. The message might look like this:
Because ‘.zip’ is now a top-level domain, the plaintext is automatically formatted to display as a link.
When people see a URL in this circumstance, they might mistakenly think it can be used to download the associated file.
Although a .zip folder might arise suspicion – it’s not normally used to send relatively small files such as attached documents or images – some experts have pointed to iCloud’s tendency to automatically compile attached documents into a .zip folder.
For these users, or those who are otherwise unaware of the intricacies of file types, they won’t see anything wrong with a URL supposedly directing them to the attachment.
The problem is that the hyperlinked text is not the same as the folder. Despite the email containing a safe attachment from a genuine sender, the recipient is inadvertently directed to a website with the domain familyphotos.zip.
If a malicious actor owns that domain, they could run an auto-downloader set to install malware as soon as someone visits the page. And because the individual was expecting to receive a file, they open it, unleashing the malicious software on their system.
How concerned should you be?
Although many experts have condemned Google for its carelessness in creating a new threat vector, it’s unclear how much of a threat this will pose.
It’s unlikely that cyber criminals will register thousands of domains to try and catch specific instances of people clicking a certain .zip or .mov domain name. However, it only takes one mistake for someone to install malware and the entire network to be compromised.
Cyber criminals might also find more effective ways to leverage this threat rather than simply squatting on domains and hoping that people find their way on to the site.
For the time being, users can use the same techniques to stay safe as they would do with standard phishing scams. That means avoiding links or downloads from unknown senders, and checking that senders’ email addresses are genuine.
You can find more advice with IT Governance USA’s Phishing Staff Awareness E-Learning Course.
This online course explains everything you need to know about scams, from phony text messages and emails to telephone con artists.
Your staff will learn about specific cons, the consequences of a successful attack, and how to identify a bogus message before it’s too late.