Tuesday, 30 May 2023 10:46

Google’s New Zip Domains Can be Easily Abused for Phishing and Malware Payloads

Written by

Reading time is around minutes.

This one will get filed in the “you knew it was going to happen” file. After the announcement of a few new top-level domains (TLDs) including .zip and .mov by Google the security world silently shook its head. The concept of using file extensions as TLDs is one that defies logic. As soon as I read about these new domains, I knew someone was going to create phishing or malware attacks with URLs that look like common file names. These attacks can leverage modern web design to make a target think they are using an application to run or open the file when they are really executing commands in the background to compromise their systems. Lo and behold! We now have file archiver in the browser as shown off by mr.d0x.

The technique is shockingly simple. You send someone a link with a .zip TLD, this link opens what looks like a file archive software (WinRar, 7Zip, etc.). The page could be used to harvest credentials simply by saying the file is encrypted (like some existing phishing emails), or the link to the fake archive could download an executable and run it on the targeted system. The same can be done for .mov domains. Phishing has been on the rise since early 2022 and shows no signs of slowing. By adding new options for phishing attacks like the .zip and .mov domains, Google has opened options for IABs and other groups (as if they needed more options). The new TLDs are added to personalized phishing links that can evade reputation scanning and blocklists as the actual phishing content requires the initial link sent to the target.

Phishing and Smishing (SMS Phishing) have become more sophisticated with attackers using detection evasion techniques to get around most anti-phishing platforms. 2022 saw an increase of over 350% for sophisticated attacks. Attackers are leveraging flaws in Teams to send malicious links and meeting invites to unsuspecting targets. Combined with the used of compromised “legitimate” Microsoft 365 accounts, and restricted permissions message formats, these new TLDs do represent a significant increase in exposure for all organizations. Mitigation for these new threat vectors is either block all .mov and .zip domains from your environment (not a bad idea) or harden existing systems against malicious pivots while increasing security awareness training specifically on these new threats. Personally, I would go with the blanket block on the new TLDs as the likelihood of a legitimate domain popping up with one of these is minimal and that single domain could be added to a safe list if necessary. For personal systems, vigilance and not opening every link or file that comes in is the best method here.

Read 590 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.