Saturday, November 23

Cyber Security Risks of .zip and .mov Domains – Insight by Umair Aziz

In a significant development, Google has recently made .mov and .zip domains available for public purchase. While this move brings exciting possibilities for website owners and businesses, it also introduces potential cybersecurity concerns. In this article, we will explore the implications of these new domain extensions and discuss the controls that companies should consider implementing to detect and prevent malicious attempts.

Umair Aziz, Head of Information Security and IT Governance – SadaPay

Cyber Security Implications

  1. Increased Phishing and Malware Attacks:
  2. The introduction of .mov and .zip domains provides attackers with new avenues to distribute phishing emails and deliver malware. Cybercriminals can now craft convincing emails that appear to contain multimedia files (.mov) or compressed archives (.zip) while concealing malicious payloads. This raises the risk of unsuspecting users inadvertently downloading malware or disclosing sensitive information.
  3. Availability of .mov and .zip domains opens the door for cybercriminals to register deceptive domains that closely resemble legitimate websites. They can exploit this similarity to deceive users, trick them into divulging sensitive information, or spread misinformation

Example

Let’s go through these implications using real world examples by analysing two URIs

  • https://example[.]com/archive/refs/tags/18[.]zip
  • https://example[.]com/archive/refs/tags/@18[.]zip

On a face of it, both URIs look similar and should take you to .zip file placed on example.com domain however after closely monitoring the URI and placed @ in the second domain, we realize that second URI will reroute the user to 18.zip domain where an attacker might have placed malicious payload to be executed on user’s machine. This can lead to new wave of phishing attacks on organizations and attackers using these domains for more sophisticated attacks.

This happens because the standard RFC3968 in section 3.2 states that

“The authority component is preceded by a double slash (“//”) and is terminated by the next slash (“/”), question mark (“?”), or number sign (“#”) character, or by the end of the URI”

If you want to further explore SSRF exploiting techniques using URL parser in different programming languages, Do check this slide deck from Blackhat 2017 by Orange Tsai

Control Measures

  1. Employee Awareness and Training: Educate employees about the risks associated with .mov and .zip domain emails. Train them to be cautious while opening attachments or clicking on links from unfamiliar or suspicious sources.
  2. Email Filtering and Scanning: Implement robust email filtering and scanning systems that can detect suspicious attachments and links. Employ advanced threat intelligence tools to identify and block known malicious .mov and .zip domains
  3. Domain Monitoring: Regularly monitor domain registrations that closely resemble your company’s brand or domain name. Employ domain monitoring services or tools that provide alerts for potential spoofing attempts.
  4. DMARC Implementation: Deploy Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols to authenticate email sources and prevent domain spoofing. DMARC helps protect against email-based attacks that abuse your organization’s domain.
  5. Content Monitoring and Filtering: Implement robust content monitoring and filtering systems to detect and block malicious or inappropriate content hosted on .mov and .zip domains.
  6. Automated File Analysis: Employ automated file analysis tools that scan and analyze files uploaded to websites with .mov and .zip domains. These tools can identify potentially malicious files and take appropriate actions to prevent their distribution.
  7. To stay ahead of emerging threats, companies should conduct regular security assessments and penetration testing. These assessments help identify vulnerabilities in the organization’s infrastructure, including potential risks associated with new domain extensions like .mov and .zip.

Conclusion

While the introduction of .mov and .zip domains by Google brings new possibilities, it also poses cybersecurity challenges for individuals and organizations. By implementing the appropriate controls outlined in this article, businesses can significantly mitigate the risks associated with these domain extensions. Stay vigilant, invest in employee education, and regularly assess your security posture to ensure robust protection against emerging threats in this evolving digital landscape.

Share