The Dangers of Google’s .zip TLD

Catweazle

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https ://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https ://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

This week, Google launched a new TLD or “Top Level Domain” of .zip, meaning you can now purchase a .zip domain, similar to a .com or .org domain for only a few dollars. The security community immediately raised flags about the potential dangers of this TLD. In this short write-up, we’ll cover how an attacker can leverage this TLD, in combination with the @ operator and unicode character ∕ (U+2215) to create an extremely convincing phish.

Full article https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5

Google improving the network
alt text

Pathduck

@Catweazle I just read the same article

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@badidea.zip

It could of course be argued that zip is just one of many file extensions, it just happens to be the most used compression format, and the only one that can be natively opened by Windows.

There's plenty of other compression formats, like gz, rar, 7z and so on. But of course nowhere as popular as zip.

There's also nothing stopping someone from crafting a url like this, even without abusing the zip TLD:
https://downloads.vivaldi.com∕stable∕[email protected]/eicar.com

Do you think your average browser user will be able to tell where it actually points?

Let's see how long it takes before some muppet at Google or elsewhere manages to push a .exe TLD through at IANA

Catweazle

@Pathduck, logically, there is always a risk of clicking on unknown URLs, especially when they are links from some URL shortener.
But this does not mean that you can make life easier even for the bastards in the network.

In any case, links that cannot be missing in the bookmarks to avoid disappointment.

https://www.urlvoid.com
https://www.virustotal.com/gui/home/upload
https://webbkoll.dataskydd.net/en
https://themarkup.org/blacklight

Aso usefull for peace of mind
https://downforeveryoneorjustme.com

Maybe interesting for our Chinese friends
https://www.comparitech.com/privacy-security-tools/blockedinchina/

Eggcorn

The solution is to simply treat all .zip websites as phishing sites, and block them. In other words: Browsers and security systems should refuse to load such sites.

LonM

@Eggcorn said in The Dangers of Google’s .zip TLD:

The solution is to simply treat all .zip websites as phishing sites, and block them.

You can do this with an ad filter that just contains the line

.zip

which should work with uBlock Origin, vivaldi's ad blocker, or any other filtering extension.

Much safer.

Catweazle

@LonM, at least when you don't want to download an zip archive

LonM

@Catweazle I tried it with the real .zip URL in the first post, it seemed to work fine.

barbudo2005

@LonM

Thank you. Working here:

barbudo2005

@Catweazle

Said:

...at least when you don't want to download an zip archive.

There was no problem with this zip on Github:

Catweazle

@barbudo2005, anyway, Trace is even more hysterical about suspicious pages than uBO.

Streptococcus

@Catweazle
With this site, I get an error message when I try to scan any address with it. I got the same result with Pale Moon, which has a different rendering engine.
https://webbkoll.dataskydd.net/en

An error occurred
Forbidden

There is not much content on the VirusTotal page, and certainly no textbox to insert an address.

ybjrepnfr

@Catweazle said in The Dangers of Google’s .zip TLD:

a malicious phish that drops evil.exe

penguins across the rock just go "meh", & smile. some of the meaner ones might also indulge in a wee little eyeroll.

yet again goggle demonstrates their peerless concern for users' wellbeing above all other priorities, a policy which only further endears them...

this news comes on the same day they also announced that their egregious topics malarkey [aka, floc2] deploys in earnest in 2024, which hence denotes the beginning of the end for 3p cookies. frying pan, fire.

Catweazle

@ybjrepnfr, shows Google's efforts to "improve the user experience" (the one they have with users, of course)

edwardp

@Catweazle They added .mov also.

https://arstechnica.com/information-technology/2023/05/critics-say-googles-new-zip-and-mov-domains-will-be-a-boon-to-scammers/

barbudo2005

@edwardp

Thank you:

edwardp

This is the IANA Root Zone Database, lists all of the current TLD's.

https://www.iana.org/domains/root/db

sgunhouse

You guys do know that .com is also a legitimate file extension, and we've had that as a TLD forever. Though modern browsers would warn if you downloaded a file ending in .com as it is executable while .zip is not.

alcazone

Helpful new video from ThioJoe
https://dev.viewtube.io/watch?v=GCVJsz7EODA