.zip and .mov domains, a new danger for phishing cyberattacks

by Àlex Tello on Aug 24, 2023 1:49:17 PM

 zip and mov domains

Google has caused quite a stir with the launch of the new top-level domains (TLDs) .zip and .mov. After the introduction of this novelty, a wide debate has arisen about the potential dangers that could accompany these extensions.

Nueva llamada a la acción

In an increasingly digital world, it is crucial to be alert to how cybercriminals can exploit these new domains to carry out highly convincing phishing attacks that can completely deceive the user. In this article, we want to explore the risks associated with .zip and .mov domains, focusing mainly on phishing cyberattacks, which remain the most common and the primary method for malware entry into a company. We will analyze how attackers can use deceptive techniques to manipulate URLs and deceive non-technical employees of a company.

Why launch cyberattacks through a domain?

Because domains are like license plates for cars on the Internet. They are unique addresses that identify specific websites on the web. Similar to car license plates, domains are used to access websites and represent an easy way to find and remember a particular page. Each domain has its combination of letters and/or numbers, giving it a unique identity within the digital world. The issue here is that, just like with email addresses, which have a high number of users, resulting in a high chance that some user will fall for it, anyone browsing the Internet uses domains for this purpose, thus increasing the chances of infecting a computer system.

These domain extensions were added on May 10, 2023, a day that raised alarms for cybersecurity experts, especially concerning two specific extensions: .zip and .mov.

At first glance, they are just file extensions that we are very accustomed to seeing, but precisely because of that, they are so dangerous. Cybercriminals base their attacks on deception and manipulating users' trust to steal sensitive information such as passwords, banking data, and other personal information.

For this reason, the new .zip and .mov domains have raised concern in the cybersecurity community due to the opportunities they provide attackers to carry out highly convincing phishing campaigns. These domains add to the arsenal that cybercriminals can use to deceive unsuspecting users and steal their confidential information.

What concerns us as cybersecurity specialists?

What concerns us is the possibility that users may be deceived by phishing attacks due to weaknesses in the HTTP protocol and authentication through the URL. The fact that users can enter any text before the "@" symbol in a URL and have it considered as a username and password for the next page creates an environment where cybercriminals can deceive users with fake links.

EXAMPLE:

  • https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
  • https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1.27.1.zip

This makes it difficult to differentiate between legitimate and malicious URLs, putting the security of users at risk.

For example, the first mentioned URL is a legitimate version of Kubernetes, while the second could be a phishing attack using the domain 1.zip. This is because new browsers no longer allow authentication through the URL and simply redirect the user to the webpage associated with the domain. Therefore, the second URL could be a phishing attack from someone who purchased the domain 1.zip.

It's essential to be aware of these vulnerabilities and be cautious when interacting with URLs to avoid falling into phishing traps and protect our personal and confidential information. Cybersecurity education and the use of phishing detection tools are key to staying protected in an increasingly complex digital environment.

At ESED, we work with antiphishing solutions that help detect such threats and filter out emails before they reach the user's inbox. For more information, feel free to contact us.