[Mini] .ZIP becomes a TLD. Immediately used for Phishing, Data Leaks

wanderingfool2 · June 5, 2023

11 hours ago, LAwLz said:

I find the entire scenario you are painting to be completely ridiculous. It is not a real threat. Even in your own scenario, you are raising like 3 new red flags that wouldn't be necessary in a typical scam. And as I have now said several times, professional security experts (not just me) do not consider this a big risk. Some might, but most don't. You do not have to worry, this isn't a big deal.

It's not ridiculous, what I dislike is you discount it as something not to worry about...when you clearly don't really interact with general users enough to realize how bad this could be (or you truly lack the critical thinking to understand how bad this could be).

The paypal portion of it is 100% feasible, it's something I've seen personally (except they were using it to get people to call them).

Putting it as plain text is something that happens naturally by how it's constructed, and lastly yes users do copy plaintext URL's to go to them. None of those are ridiculous, and it's honestly laughable if you somehow think that users won't do that. Those users yes might fall for www.go.ogle.com but they are much more likely to fall victim to the zip.

Do you seriously not understand the risks behind this?

Send someone the following network shared link then

⧵⧵fileserver\hr⧵diciplinaryAction:doc⧵@attachment.zip

The above 100% will not look like you are going to a website and many many people will assume it's a zip file somewhere on a shared drive. Dump it into a document file and hovering over the link won't even show the attachment.zip, but the entirety of it.

Even if someone was using a web-browser while doing it; one would have to be foolish to not understand that general users even hovering over the link might get confused by seeing what they think is an attachment.

Going back the nvidia example...yes they might see

2023.06.24.hotfix.zip
IF it was a hyperlink (because if instead of going to a rickroll it presented a zip file that's when you would notice)

If the user does look at the link and sees something like that, they are a lot more likely to just assume that it's showing them the name of the file...compared to seeing

2023.06.24.hotfix.com

If they see that there will be drastically more people who will not fall for that simply because they recognize it as being a different site.

7 hours ago, cooky560 said:

Honestly I can see why this could trip people up, but remember that .com is a file type too, and that has been a TLD for a very long time, and hasn't been an issue.

The bigger question is less security and more "why is this necessary" is there a shortage of domain names available using the huge range of tlds already out there?

The difference between .com and .zip though is what people associate it with. If you go onto the street and ask 10 people what a .com is, they will say a website, if you ask them what .zip is they will say a computer file.

LAwLz · June 5, 2023

2 hours ago, wanderingfool2 said:

Do you seriously not understand the risks behind this?

I do, and so do the security experts I have quoted. The problem is that you and several others in this thread do not understand the risks and therefore think they are bigger than they are.

I will leave this conversation now for everyone's sake. I do want to once again point out that I have linked to two security experts who both do not think this is a big deal. If you aren't going to listen to me (also a security expert) then at least listen to them and not random bloggers.

wanderingfool2 · June 5, 2023

13 minutes ago, LAwLz said:

I do, and so do the security experts I have quoted. The problem is that you and several others in this thread do not understand the risks and therefore think they are bigger than they are.

I understand the risks, we aren't proclaiming the world is ending we are stating that there are real risks of it opening up scams and such.

So get off you "I'm a security expert" high horse because as I've said before your qualification means squat when you take boneheaded approaches like saying that it's a nothing burger. That kind of approach is exactly the same kind of attitude I got from the "qualified" "cisco certified" dope who tried convincing my boss that the firewalls were correctly put up for the DMZ (which it wasn't).

You are the one that's denying that there is a risk, and aren't apparently active enough with end users to realize that yes the scenarios like I said happen. (Even looking into the filtered junk mail I can see similar kinds of scams).

Even your "experts" aren't saying what you are; so either you are grossly misreading them or really you don't understand that there are unique risks to it. It's almost as dumb as making a doc or exe tld.

Since you can't seem to be capable of reading even your own source, here is the snippet that maybe you should take note of

Quote

will leave to various minor phishing schemes/tricks/address-confusion attacks

Or had you looked at the rest he had to say

Quote

The only reason there's a .ZIP TLD is because it's funny to confuse people, it markets off the "this used to just be a file extension and now we changed it because we could." So even if it's not a uniquely horrific, it's just not a good action of stewardship and that's worrying.

By that way I could say any attack meant that's not targeted specifically is a "minor phishing scheme" and a "nothing burger". It's spoken as someone who never went into a company before that had a lapse of security, or someone who didn't have to sift through all the blocked emails to find a single important email amongst thousands of spam.

Having .zip as a TLD is stupid, and things like it shouldn't have really been allowed to happen; because YES it does open up new avenues for scammers...we shouldn't accept stupidity of having it and even minor impacts as a way of life; I remember when companies like Facebook didn't do full https, only during login because no one would target it...it was such a small target, until it wasn't.

The simple fact is that people here have already shown you multiple different targeted attacks that using .zip adds that are unique to the file name confusion.

As for the full Eric blog, he just skips over effectively what most are arguing by essentially stating it's already incredibly subtle...which is a coup out situation as it ignores any arguments that it adds new venues to it by having zip as now an ambiguous term.

Again the reason it's so terrible is because you can have a short URL that people think they have read correctly without realizing it's not a valid link

⧵⧵fileserver:80⧵mydocdoc⧵@attachment.zip

Compared to how you would have to exploit it currently

⧵⧵fileserver:80⧵@hr.com\attachment.zip

If you seriously don't know users who would fall for the former but not the latter, then congratulations...I know of plenty of users who would fall for it but not the latter...simply because the general user is accustomed to seeing .com and being weary of strings with .com in the name. Notice how he also said it was overblown, not your "nothing to worry about" type of comment.

The simple fact is if you now type in [xyz].zip into windows start menu to open a file and it's not a file on your computer it will now take you to a .zip website...and yes that is how a large chunk of userbase does do it.

Also

https://mrd0x.com/file-archiver-in-the-browser/

A security researcher

It's not the argument of saying new TLD's are bad, but an argument assigning new TLD that are synonomous with common file names is a bad practice and should not have happened.