How Google’s .zip domains help phishers
Shortly after Google’s announcement of new top-level domains, SANS found a spike in .zip destinations.
Francis Scialabba
· less than 3 min read
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Some top-level domains announced by Google in May have some serious security .implications.
Tag library descriptor (TLD) files like .zip or .mov offer extra bait for phishers who can disguise malicious files with their newly bought domain name.
“The problem is that it sort of confuses what’s a local file and what’s a remote website. So, the distinction between remote and local gets kind of murky here, as far as the user is concerned,” said Johannes Ullrich, dean of research at the SANS Institute.
Shortly after Google’s May 3 domain divulgence, SANS found a spike in new .zip domains, including just under 2,500 on May 14. (It’s unclear how many domain buyers have attacks in mind vs. penetration tests.)
Some recent purchases: chrome-installer.zip, amazon-receipt.zip, and adobephotoshop.zip.
With just these three domains, a phisher could pretend to have an Amazon invoice, which then sends the end-user to a lookalike site that nabs credentials. Or maybe a threat actor could impersonate an IT pro and entice employees to get a false browser update.
A threat actor could use a .zip domain—often automatically hyperlinked and easily clickable in platforms—to mask a malicious file or site. (See a clever demo of URL murkiness here.)
In the early May announcement, Google launched top-level domain adds, including .dad and .foo, to broaden naming choices. (Not so for .mom, apparently.)
“There is no active, good use of these domains. So, you may as well just block .zip and .mov,” Ullrich told IT Brew.
Google’s security comms manager Kimberly Samra sent a company statement via email: “The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows…Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs and if new threats emerge will take appropriate action to protect users.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.