[Mini] .ZIP becomes a TLD. Immediately used for Phishing, Data Leaks

[rcmaehl]

2 hours ago, LAwLz said:

If it's an attachment, it's always a file.

If it's a link, you can tell because it will open in your browser (which usually don't open .zip files), and it will be a domain name (www.test.zip) instead of an URI with a path in it (www.test.zip/test.zip).

 

But to the people who are worried about getting scammed, you shouldn't open strange links or download strange files anyway. This would only be an issue if you used to trust random .zip files someone sent you, which you shouldn't have done to begin with. 

I'm aware. It's just the presentation of the .zip link (to an attachment or to an external page) will be vaguer by default to which it is on some forums.

[jagdtigger]

9 minutes ago, rcmaehl said:

I'm aware. It's just the presentation of the .zip link (to an attachment or to an external page) will be vaguer by default to which it is on some forums.

Bottom left.......

[rcmaehl]

39 minutes ago, jagdtigger said:

Bottom left.......

Yes, that exists. 

 

However

 

test.zip

and

test.zip

7.73 kB · 1 download

 

Both look the same before that. Both of which can link to a zip file.

Stop thinking like a tech literate person and start thinking like a user.

 

[jagdtigger]

9 hours ago, rcmaehl said:

Stop thinking like a tech literate person and start thinking like a user.

Its more feasible to prod users  until they start to think on their own....

[LAwLz]

12 hours ago, rcmaehl said:

Yes, that exists. 

 

However

 

test.zip 7.73 kB · 4 downloads

and

test.zip

7.73 kB · 1 download

 

Both look the same before that. Both of which can link to a zip file.

Stop thinking like a tech literate person and start thinking like a user.

 

Yes but this is not a new issue since you can create links that looks however you want. 

 

www.youtube.se

 

The above link goes to google.com

 

You have never been able to trust the text that displays a link. That isn't changing now either. 

[Sauron]

Time to register openjdk-20.0.1_windows-x64_bin.zip

[jagdtigger]

Best mitigation:

(External DNS blocked by firewall OFC.)

[Quackers101]

29 minutes ago, jagdtigger said:

Best mitigation:
(External DNS blocked by firewall OFC.)

rip gamernexus site, also dad was missed.

[starsmine]

2 hours ago, jagdtigger said:

Best mitigation:

(External DNS blocked by firewall OFC.)

that seems like the worst mitigation.

This the kind of mitigation where you go "I dont want no damn viruses" so you become a Luddite.

[rcmaehl]

13 hours ago, starsmine said:

that seems like the worst mitigation.

This the kind of mitigation where you go "I dont want no damn viruses" so you become a Luddite.

I mean there's pretty good statistics that show how bad some TLDs are

 

A Peek into Top-Level Domains and Cybercrime (paloaltonetworks.com)

The Spamhaus Project - The Top 10 Most Abused TLDs

Many new top-level domains have become Internet’s “bad neighborhoods” [Updated] | Ars Technica

[wanderingfool2]

On 5/17/2023 at 9:13 AM, LAwLz said:

If it's a link, you can tell because it will open in your browser (which usually don't open .zip files), and it will be a domain name (www.test.zip) instead of an URI with a path in it (www.test.zip/test.zip).

On 5/15/2023 at 12:53 PM, Thaldor said:

I too don't see here anything more dangerous than we already have. Like it's already everyday thing to see "microsoft.com.jkfdhakh.xyz" domains trying to be presented as microsoft.com. Hell, they can be even longer and with dashes to really try to hide the actual domain beneath subdomains. Not to include using some real domain but redirecting it half way to somewhere else.

https://nvidia.com∕updates∕critical∕may2023∕@attachment.zip

 

This is why it's a danger.  Let me ask this, could you see someone accidentally clicking that link thinking it's from NVIDIA?  Instead of a Rick Roll if it just was a redirect to a zip file it would behave as if you had clicked a link for Microsoft.  The real danger becomes when it's in an email as well, since if you hover over it it can look quite valid (aside from the @ sign)

 

Or what about this?

https://google.com∕updates∕∕@attachment.zip

 

While it could have been still exploited with other names, the fact it emulates a common file extension is what I think makes it a lot more dangerous.  There is now an additional thing you have to identify when going to a link (specifically you have to identify the @ sign).  A few additional clever tricks and they might be able to bury the @ sign as well.

 

 

[jagdtigger]

1 hour ago, rcmaehl said:

I mean there's pretty good statistics that show how bad some TLDs are

 

A Peek into Top-Level Domains and Cybercrime (paloaltonetworks.com)

The Spamhaus Project - The Top 10 Most Abused TLDs

Many new top-level domains have become Internet’s “bad neighborhoods” [Updated] | Ars Technica

Yup, and the new ones created by google just reek of abuse.....

[rcmaehl]

20 minutes ago, wanderingfool2 said:

https://nvidia.com∕updates∕critical∕may2023∕@attachment.zip

 

https://google.com∕updates∕∕@attachment.zip

The forum font prevents this abuse, but most fonts don't

[Thaldor]

49 minutes ago, wanderingfool2 said:

https://nvidia.com∕updates∕critical∕may2023∕@attachment.zip

 

This is why it's a danger.  Let me ask this, could you see someone accidentally clicking that link thinking it's from NVIDIA?  Instead of a Rick Roll if it just was a redirect to a zip file it would behave as if you had clicked a link for Microsoft.  The real danger becomes when it's in an email as well, since if you hover over it it can look quite valid (aside from the @ sign)

 

Or what about this?

https://google.com∕updates∕∕@attachment.zip

 

While it could have been still exploited with other names, the fact it emulates a common file extension is what I think makes it a lot more dangerous.  There is now an additional thing you have to identify when going to a link (specifically you have to identify the @ sign).  A few additional clever tricks and they might be able to bury the @ sign as well.

 

 

All you are doing is just masking it in HTML/PHP. What I meant is the actual demon that no one really wants to talk about because there isn't shit to do about it without removing "free internet". As in what you do is have an URL and blasting text over it, what I am talking about is the use of subdomains to hide the real domain.

 

Example (I won't use links just because reasons):

Not:
"Whatever-crap-someone-wants-to-write" which is really a link to URL

But:
the actual URL is "microsoft-google.com.netflix.amazon.co.uk.[whatever domain scammer uses].[whatever]"

As in the actual domain is only the things inside [ ] and all that crap in the front is just sub-domain to make the link look like something more legit.

 

Hiding the URL behind text is countered just by hovering over the link and looking at the bottom-left corner of your browser (at least FF) where you will see the preview of the destination URL ([heavy sarcasm] super hard thing, I know, and it looks so ugly down there, better just hide it like the known fileformat so the "Metallica-St-Anger-mp3.exe" can be effectively hidden.[/heavy sarcasm]).

The thing what I talked about requires you to actually know what URL means and how it is pieced together, you cannot anymore just say "check the bottom-left corner and if it says "google.com" it's safe" because now there can be whatever "fun" scammer really wants there to be like the "google.com" but the actual domain is at the end of the long and convoluted list of things.

 

Not to even open the worm can of "free internet" where anyone can register whatever domain and you get the "nice" surprises like (completely example, DO NOT SEARCH) "rewards-facebook.net" and other fun little things that makes things 100 times more dangerous than ".zip" TLD. But that would require someone ACTUALLY DOING SOMETHING (as in, actually going through the domain applications) and would hurt someones underline because they would need to hire to someone actually do something. Fixing this kind of design errors also would require someone to actually go through and renew standards and not just slap some new shiny shit on top of old standards and call it a day. They would most likely also lead to legal changes where parties, that now don't need to anything else for these problems than count their money and do business, could be actually responsible what their customers are actually doing.

 

But all of this is just what it is and we better focus on not having file extensions as TLDs and in what format websites can show consecutive pictures synched to audio track.

[wanderingfool2]

11 hours ago, Thaldor said:

All you are doing is just masking it in HTML/PHP. What I meant is the actual demon that no one really wants to talk about because there isn't shit to do about it without removing "free internet". As in what you do is have an URL and blasting text over it, what I am talking about is the use of subdomains to hide the real domain.

It's actually masking the it with the old school login method for websites.  (specifically it accepts the format username:password@domain)

 

It in general does add extra ways to trick users by having tld with a very common extension name.  If you want more use-cases, imaging getting in an email, where instead of putting it as a hyperlink you just ask the user to copy paste the URL.  It's a very simple URL and they "see" that it's going to Microsoft/Google/NVIDIA.

 

Or more specifically targeted attacks, where lets say you send an email to business XYZ.com saying something along the lines.

 

"As per the legal document in the zip on your website at (https://XYZ.com/@attachment.zip) it says [....]. "

 

Send that to someone in XYZ and make it so they have to copy paste the URL and it's a lot more likely to get someone than something like

 

"As per the legal document in the zip on your website at (https://XYZ.com.attachment.zip) it says [....]. "

 

While of course there will be people who fall for the above, there are a lot more who would fall for the /@ version.  It's not really abusing the subdomains which people have tried doing for a long time, instead it's now abusing the login method which when you have a TLD that has an extension of a very common document file that people recognize they are much more likely to fall for it.

[jagdtigger]

On 5/22/2023 at 5:37 PM, Thaldor said:

All you are doing is just masking it in HTML/PHP.

There is no masking in that url:
 

<user>:<pass>@domain.tld

It is the actual url in an ancient format which isnt used anymore AFAIK, but browsers still support it.

Edited May 24, 2023 by jagdtigger

[wanderingfool2]

Adding this here as well

 

On YouTube comments mentioning [address].zip are being converted into links...even when it was mentioned a long time ago.

 

Honestly at this day and age, I think it would have just been better to only grant new TLD items for new country codes...instead of making it the wild west where large companies can make decisions to get top level domains (or if granting a TLD there needs to be something to make sure there isn't going to be confusion)

[starsmine]

3 hours ago, wanderingfool2 said:

Adding this here as well

 

On YouTube comments mentioning [address].zip are being converted into links...even when it was mentioned a long time ago.

 

Honestly at this day and age, I think it would have just been better to only grant new TLD items for new country codes...instead of making it the wild west where large companies can make decisions to get top level domains (or if granting a TLD there needs to be something to make sure there isn't going to be confusion)

yea.... thats a big yikes

I had not personally considered the retroactive parsing on websites turning things into links that are not links

[pbargiona]

People watering down the menacing potential of these TLD are delusional. Either they are used with interacting with so many "tech-savy" people that they think that's representative of the average user, or they simply don't realize how many people struggle with the basics. There are literally billions of people using (or being obliged to use) tech they don't understand and barely are able to. Even basic stuff, as a TLD or file extension, is out of reach for so many people... They simply don't know what that is and can be easily tricked into believing weird stuff online. Especially when it is so easy to spoof/hide your sketchy domains/files as with .zip and .mov TLD/extension debacle. 

 

That being said, I wonder if a Pi-hole, such as the one LTT provided a tutorial for, are a good solution for trying to fool-proof my household. 

[Lurick]

1 minute ago, pbargiona said:

People watering down the menacing potential of these TLD are delusional. Either they are used with interacting with so many "tech-savy" people that they think that's representative of the average user, or they simply don't realize how many people struggle with the basics. There are literally billions of people using (or being obliged to use) tech they don't understand and barely are able to. Even basic stuff, as a TLD or file extension, is out of reach for so many people... They simply don't know what that is and can be easily tricked into believing weird stuff online. Especially when it is so easy to spoof/hide your sketchy domains/files as with .zip and .mov TLD/extension debacle. 

 

That being said, I wonder if a Pi-hole, such as the one LTT provided a tutorial for, are a good solution for trying to fool-proof my household. 

This x1000

So many people lose sight of the fact that they are not the representative portion of the population and that the vast vast majority have minimal tech literacy and this isn't just "hurr durr old people dumb" there are a metric ton of young people, far more than there are older folks, who are just as "tech illiterate" if not more than the older folks.

[rcmaehl]

6 hours ago, pbargiona said:

People watering down the menacing potential of these TLD are delusional. Either they are used with interacting with so many "tech-savy" people that they think that's representative of the average user, or they simply don't realize how many people struggle with the basics. There are literally billions of people using (or being obliged to use) tech they don't understand and barely are able to. Even basic stuff, as a TLD or file extension, is out of reach for so many people... They simply don't know what that is and can be easily tricked into believing weird stuff online. Especially when it is so easy to spoof/hide your sketchy domains/files as with .zip and .mov TLD/extension debacle. 

 

That being said, I wonder if a Pi-hole, such as the one LTT provided a tutorial for, are a good solution for trying to fool-proof my household. 

 

6 hours ago, Lurick said:

This x1000

So many people lose sight of the fact that they are not the representative portion of the population and that the vast vast majority have minimal tech literacy and this isn't just "hurr durr old people dumb" there are a metric ton of young people, far more than there are older folks, who are just as "tech illiterate" if not more than the older folks.

 

I've been saying this the entire time. I work with the average user 8+ hours a day, 5 days a week, sometimes on weekends too. 

[LAwLz]

20 hours ago, pbargiona said:

People watering down the menacing potential of these TLD are delusional. Either they are used with interacting with so many "tech-savy" people that they think that's representative of the average user, or they simply don't realize how many people struggle with the basics. There are literally billions of people using (or being obliged to use) tech they don't understand and barely are able to. Even basic stuff, as a TLD or file extension, is out of reach for so many people... They simply don't know what that is and can be easily tricked into believing weird stuff online. Especially when it is so easy to spoof/hide your sketchy domains/files as with .zip and .mov TLD/extension debacle. 

 

That being said, I wonder if a Pi-hole, such as the one LTT provided a tutorial for, are a good solution for trying to fool-proof my household. 

20 hours ago, Lurick said:

This x1000

So many people lose sight of the fact that they are not the representative portion of the population and that the vast vast majority have minimal tech literacy and this isn't just "hurr durr old people dumb" there are a metric ton of young people, far more than there are older folks, who are just as "tech illiterate" if not more than the older folks.

Those people would be fooled by URLs that don't end with .zip as well.

That's the point I am trying to make. This change does not pose any new risk, nor are the risks any larger than before. 

Can you give me an example where someone would fall for a scam because of this new TLD, but wouldn't fall for it with other TLDs? I just don't see how this poses any new risk that could result in more people being scammed.

[jagdtigger]

12 minutes ago, LAwLz said:

Can you give me an example where someone would fall for a scam because of this new TLD, but wouldn't fall for it with other TLDs?

You already got those:

On 5/22/2023 at 3:45 PM, wanderingfool2 said:

https://nvidia.com∕updates∕critical∕may2023∕@attachment.zip

On 5/22/2023 at 3:45 PM, wanderingfool2 said:

https://google.com∕updates∕∕@attachment.zip

 

I happen to know what those @ symbols do but i bet you that even most of the more savvy users dont really know about its function. (Its pretty old after all.) Plus most links look horrendous nowadays with all the tracking and whatnot so have fun looking for that @ symbol.....

[rcmaehl]

6 minutes ago, LAwLz said:

Those people would be fooled by URLs that don't end with .zip as well.

That's the point I am trying to make. This change does not pose any new risk, nor are the risks any larger than before. 

Can you give me an example where someone would fall for a scam because of this new TLD, but wouldn't fall for it with other TLDs? I just don't see how this poses any new risk that could result in more people being scammed.

The case in which the user has failed internal phishing tests before and now knows better after way too many trainings, but doesn't currently expect .zip to be anything but files.

[Sauron]

27 minutes ago, LAwLz said:

Those people would be fooled by URLs that don't end with .zip as well.

That's the point I am trying to make. This change does not pose any new risk, nor are the risks any larger than before. 

Can you give me an example where someone would fall for a scam because of this new TLD, but wouldn't fall for it with other TLDs? I just don't see how this poses any new risk that could result in more people being scammed.

People are told to check that the URL starts with https: and that they should check the domain to make sure it matches what they want; this way they aren't fooled by the common stuff like http://micro.soft.com or https://www.go0gle.com . They are also often told to look out for "dangerous" file extensions like .exe. Attackers using a .zip tld don't need to trigger any of these defenses with their malicious domain.

 

But that isn't the worst part. People can learn about this and avoid it. What they can't necessarily avoid is a program thinking itself smart by interpreting a file path as a URL. In that case you might be looking to open "openjdk-20.0.1_windows-x64_bin.zip" and have your program navigate to "http://www.openjdk-20.0.1_windows-x64_bin.zip", which may in turn serve it a file that might be dangerous or phish the user.