Google’s ZIP domain names are raising security concerns
On May 3rd, Google launched registration for eight new Top-Level Domains (TLD), allowing domains such as Dear.dad, Rafael.phd or Gamers.nexus. However, two of them are raising security concerns – .zip and .mov – which are also popular file extensions. There is a general rule to separate TLDs and common file extensions in order to avoid user confusion. But most importantly, such collisions also pose a security risk, as they can be abused for phishing attacks.
Are you opening a file or a link?
What this means is, generic file names, such as photos.zip, documents.zip or meeting-recording.mov could now be registered as domains, making it difficult for users to distinguish if they are opening a file or a weblink. Such naming collisions already happened in the past, most notably with the COM file format in the disk operating system (DOS), and the similarity with .com domains were also abused by threat actors – although at that time, internet availability was very limited and the filetype was discontinued.
To abuse the naming similarity, attackers have a variety of options. In a common phishing scenario, an e-mail could mention a file for download, for example “documents.zip.” It would not be a link to a file however, which, in case it was malicious, would be scanned by antivirus upon download, but a fake login page claiming you need to login in order to access the file on a shared drive. While not a new technique, the naming similarity might induce more trust.
Confusion leading to potential abuse
It is not just the simple phishing; the confusion applies to both humans and systems. Text editors and e-mail clients interpret domain names (e.g., whalebone.io) as clickable links. And now that .zip and .mov also became valid domains, files mentioned in documents or e-mails could now get unintentionally clickable.
If someone with a malicious intent registers a domain matching a specific filename, this would take the readers to a website where the attacker might set-up credential phishing, drive-by download of a malicious file with the same name, or attempt a vulnerability exploit. The usual security awareness could be diminished in such a scenario, as the user might think they are opening their own local, known file.
Domain names are also interpreted by Windows Explorers file path. When you type a filename and the file exists on the disk, it opens as usual. However, if it does not exist, Windows Explorers file path tries to look it up on the network – and with these TLDs, searching for i.e., "documents.zip" could now unintentionally land you on a website, instead of on a common file.
Malicious cases already on the rise
Over the past week, we are seeing a slow influx of .zip and .mov domains in the traffic. Currently, most domains are being registered by security researchers – some for fun, some to spread awareness and to seize the most obvious domains before the attackers. But malicious cases of impersonating for example Microsoft Office with .zip TLD are already emerging, and we expect that such attacks could rise in both frequency and sophistication in upcoming months.
It is unclear why Google decided to allow these domain names, as there is a very limited legitimate use for them. But it gives attackers a few new tricks to trick people.
Stay on top of current threats and do not give attackers a chance with Whalebone's protective DNS!