New top-level domains may introduce some unforseen security risks

6 June 2023

On the 2nd March 2023, Google announced a new set of top-level domains that they would be releasing in May of 2023. The set of 8 domains included:

.foo

.zip

.mov

.nexus

.dad

.phd

.prof

.esq

There are already a vast number of different top-level domains to choose from, and it is positive to see Google release more as online communities continue to develop. However, two of their new top-level domains have sparked some controversy. The two domains in question are .Zip and .Mov. For most people, these are commonly recognisable as file extensions, .Zip for a zipped archive and .Mov for the Apple developed video format file.

One of the main points made against these new domains, is the topic of social engineering attacks or URL manipulation. For example, it is common for web browsers such as Chrome, Firefox, Safari, etc., to download a file when given the specific URL to such file. An example of this can be seen as:

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

Navigating to this link in a web browser would start a download for the v1.27.1.zip file. However using different delimiters in the URL can change the behaviour inside a web browser. The image below details how different delimiters are used to separate each element in a URL for the browser to read.

Parts of a URL

This conveys that a URL such as https://google.com@facebook.com would actually lead to facebook.com rather than google.com. Therefore if we take the first link from above and insert the at sign (@), the following link can be created:

https://github.com/kubernetes/kubernetes/archive/refs/tags/@v1.27.1.zip

Even though it is a single character difference, the top link will start a download for the legitimate zip file from GitHub.com. The second link however will load the webpage https://v1.27.1.zip. This domain can be registered by a malicious attacker and can be used for a variety of different malicious purposed including, downloading a malicious payload, hijacking your browser and more.

Scenario

Let’s say you received a email to a login to your amazon account to review recent purchases. Although it may look legitimate, some users may find it suspicious and want to investigate more. A few initial details to look out for to tell if an email is legitimate is to look at the sender email address, look for spelling mistakes or continuity errors and to also check urls for hyperlinks and buttons. When checking the button hyperlink you find it to read:

http://heretoscamyou.com/salkjfgdj/amazon.com

In this scenario it would be fair to say that it definitely is not the correct url to access Amazon’s website because it starts heretoscamyou.com instead of amazon.com. However, what if the url was along the lines of:

https://www.amazon.com/downloads@bgbgsfd.zip

This url, at first glance, looks legitimate as it is using the amazon.com site domain and using https. In addition to this, web browsers have a tendency to truncate urls when they are really long, this means that the user may not actually be able to visually see the @ when hovering the mouse over a button or url as it is hidden. Despite initial analysis, the link would actually take the user to the bgbgsfd.zipwebsite instead. If the bgbgsfd.zip website was designed to mimic the Amazon website, you’re very likely to assume all is well, and enter your login details.

The websites above are just examples meant to give an idea of the many ways in which this could be exploited. We picked Amazon just because it’s well-known, but it could just as easily be your bank or credit card login pages which are being mimicked.

Mitigation

Hopefully in the future, with more of these domains becoming available and used, a preventative measure will be taken by Google and other web browsers in order to give the user a warning that the site they are navigating to may not be where they are intended to be going. However, a large part of mitigating this issue currently, is reliant on users being able to visually tell if the URL present in front of them is the actual URL they are expecting.

Our advice

Be extra vigilant when clicking links in emails you think are suspicious. If there’s an @ symbol anywhere in the link, don’t click it.

References:

- https://www.registry.google/announcements/launch-details-for-eight-new-tlds/
- https://www.techradar.com/news/want-a-new-google-zip-domain-it-could-be-a-serious-security-risk
- https://www.xda-developers.com/google-zip-mov-domains-security/?newsletter_popup=1
- https://arstechnica.com/information-technology/2023/05/critics-say-googles-new-zip-and-mov-domains-will-be-a-boon-to-scammers/
- https://www.darkreading.com/endpoint/google-zip-mov-domains-social-engineers-shiny-new-tool
- https://www.wired.com/story/google-zip-mov-domains-phishing-risks/