At the start of the month, Google announced several top-level domains for “dads, grads and techies”. Among the new techie domains were .zip and .mov, which also happen to be very popular file extensions. Now, the security researcher Bobby Rauch is sounding the alarm over these TLDs, warning that they could be used for phishing.
In his blog post on Medium, Rauch shares two URLs and asks the reader if they can tell which one is a legitimate URL and which one is malicious, and could send the users off to malware. The two links are shown below, don’t worry, neither will send you anywhere bad, just see if you can tell which points to a zip file or zip URL.
- https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
- https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
Hovering over the first link will bring up the bar at the bottom of your browser showing that the link takes you to https://v1271.zip, so we know this one is the malicious link. Unfortunately, many people won’t know this, could be on a mobile device, or be being rushed by the malicious actor so due diligence is not taken.
According to Silent Push Labs (via Bleeping Computer), .zip and .mov domains are already being used in the wild to steal, among other things, Microsoft Account credentials.
In Rauch’s blog post, he tells readers to be on the lookout for domains using fake forward slashes - U+2044 (⁄) and U+2215 (∕) - and @ operators followed by .zip files. He also says that you could avoid downloading files from URLs sent by unknown contacts and hover over the URL before clicking them to see the expanded URL path.
Source: Bobby Rauch via Bleeping Computer