Phishing Vulnerabilities in Google’s New Top-Level Domains (TLDs)

Google launched new top-level domains (TLDs) like .dad, .phd, .prof, .esq, .foo, .nexus, .zip, .mov and the last two are developing #cybersecurity concerns. Cybersecurity experts and researchers consider these new TLDs as potential #phishing risks. Unlike .com and .uk, hackers can exploit the familiarity of .zip, and .mov extensions commonly used in file names for zip archives and MPEG 4 videos to attempt phishing and distribute malware.?

The newly paid additions were marketed as TLDs for “dads, grads, and techies” as the new templates will be for parents, professors, and graduates. The TLDs were made available for everyone on May 10, 2023, with a base annual price. Over time, the nonprofit organization known as the Internet Corporation for Assigned Names and Numbers (#ICANN) has progressively relaxed limitations on TLDs, enabling entities such as #Google to participate in auctions and offer a wider range of TLDs for sale. However, experts predict that certain messenger apps and social media platforms may automatically turn filenames with specific extensions into clickable links, posing security risks.

How Will It Lead to More Phishing Attacks?

These new URLs .zip and .mov are more likely to be mistaken for files and will open new ways for hackers to take advantage of the negligence of people to implement digital scams. And the most common can be phishing as people will be tricked into clicking on malicious links that may look legitimate.

Possibly, hackers will acquire URLs with .zip and .mov and merge it with any trusted pre-existing website to impersonate them– think, microsoft.zip– which is linked to a malicious website. Through these tactics, the threat actors can easily get access to a server and system as there are chances of programs wrongly recognizing file names as website links, which will result in programs automatically turning file names into clickable links.?

Humans can differentiate between a zip file and a .zip URL but machines and social media do not. This will create confusion as social media sites and messaging apps may convert files into URLs, causing issues. For example, the image provided below shows that Twitter failed to differentiate between a zip file and a URL, converting the file names into URLs. Whereas, clear instructions are given to open the zip file, and then access the MOV file but the file names are converted into web links by Twitter.

Let's say, a hacker registers and sends domains like update.zip and test.mov to your employees and even if a single employee falls for it then this can result in a big data theft of the company. Researchers in the field have found another way to exploit the .zip domain for phishing. The described technique, known as “file-archiver-in-the-browser,” involves the usage of websites that mimic the interface of an archiver utility. The user gets tricked and clicks on the .zip URL thinking that it is a zip file. It redirects the user to a website with the same name and instead of seeing a list of files, they encounter URLs that can lead anywhere.??

The hackers can hide malicious executable downloads or prompt the user to enter their credentials to access a document. Additionally, the document explains an intriguing delivery method utilizing Windows File Explorer. Through social engineering methods, if the threat actor successfully convinces a user to search for a non-existent .zip file, File Explorer will automatically open a website on a domain with the same name. The use of a .zip URL has already been seen in phishing attempts impersonating Windows updates themes. This shows that when a trustworthy name is attached to a file or URL, people are more likely to click and proceed, potentially leading to phishing or ransomware attacks.

Google has Assured About the Situation

Experts around the world have mixed reviews of the latest launch of TLDs, whereas Google has claimed that it is nothing new, there has always been confusion between domain names and file names. In a conversation with Wired, the tech behemoth, supporting the former statement, gave an example of 3M’s Command products which also use command.com as their domain name. And command.com is also an effective program for an older version of Windows and MS-DOS.

Google has also mentioned that applications have mitigations, such as Google Safe Browsing, to eliminate such phishing domains. Google Registry is equipped to suspend impersonating domains for all the TLDs. The Internet giant assured continuous supervision of .zip and other TLDs and promised to take strict action against any suspicious activity to protect users.?

Still, there are a lot of chances that it will cause issues for both the administration and the system, as ZIP and MOV are commonly known by non-technical people. The instance we shared earlier about Twitter just makes it more predictable that such incidents will occur in larger numbers than in other social media apps. Keeping phishing aside, this is going to cause difficulties for many of us as text that contains a file name could turn into a web link to an external website.??

Cybersecurity Experts are Divided on the New Domains launch

Google’s new TLDs bring more choices of URL suffixes for users, which means one doesn’t need to pay a premium to buy the desired site names from the existing owner. Whereas, some have a different opinion on this, they feel that the new domains, which are common with popular file names like .zip and .mov add to the existing danger of phishing attacks. Among these concerns, the Public Suffix List (#PSL) community has taken the side of new TLDs, saying that it would disrupt the operations of legitimate websites if these TLDs will be removed from PSL.

The security researcher, Troy Hunt , bluntly neglected the risk of phishing through .zip and .mov URLs, mentioning that people still can’t find the difference between a genuine URL and a phishing one. “And I am also one of them who can be fooled by ambiguous characters and we don't have any idea what the correct URL is for a legitimate website,” he said in a statement with Wired.

Some strongly believe that the internet giant could have ignored adding these two TLDs to the list. Google, which spends millions on implementing security measures to safeguard users from phishing and scams, could have resisted bringing such overlaps.?

“We all know it is not something new and this is the problem that it is not new.” said security researcher Marcus Hutchins. “Google has added more complications to this existing problem as this will create big problems for CISO and IT administrators,” he stated with WIired.

Simultaneously, various security researchers and developers, including Eric Lawrence, a developer at Microsoft Edge, have voiced their belief that the concerns surrounding these new domains are exaggerated.

What Can Organizations Do?

The new TLDs .zip and .mov have just given another weapon to hackers in their vast arsenal. So, our advice to prevent any phishing attacks will remain the same. You can check the box following steps before moving ahead with any file and URLs.

• Users should check and study the link before blindly clicking on any .zip and .mov URLs.?
• If you see any trustworthy brand name in the URL, check twice before moving forward with the link.?
• Beware of the attachments and links coming to your message box and e-mails asking you to click and more importantly, prompting you to fill in the credentials of any confidential accounts.?
• Using proper security on your mobile, computers, and laptops can be very useful.?
• You can also check whether an URL is genuine or fake by using free and trustworthy tools?

Security Tip: Check out the suspicious links on Phishing URL Checker

How can Organizations Combat the New Danger?

It is well-known that humans can be the weakest link in cybersecurity, as phishers often target human psychology in launching any cyber attacks on organizations. Therefore, CISOs should rule out new security policies for the .zip and .mov domain names. Here are some measures organizations can take:

• Link scanning: Scanning any suspicious links before clicking on them can be a good preventive measure. There are free tools available in the market that helps to detect malicious links and can save you money in advance.
• Blocking employees from accessing such domains: With respect to the new developments, organizations can take the step to completely restrict employees from using/visiting websites that have .zip and .mov in the link. Possibly employees may not be aware of the latest changes in the TLDs and this makes them more prone to clicking such links. The same case happened with the .bit domain which was blocked by many users and slowly died due to a deluge of malicious links in 2018-19.
• Security Training:? The risks associated with the new two domains can be explained to every person in the organization through training and guidance. And it is a great chance to conduct phishing awareness and simulation training in the organization before any of them fall victim to it.
• Check your Systems and tools: The #CISOs should run a test in the organization to see how their business system processes these links and handles domains with .mov and .zip.? And also check these links with the messaging apps, email system, and HRMS to monitor effects closely. Disable features like auto creation of links for zip and mov. Preparing in advance is always beneficial for you and your organization.

Time will determine whether the new TLDs work for or against users. However, it is crucial to remember that only advanced cybersecurity practices are essential to prevent any big or small cyber-attacks.

Check Out More Articles:

• From Friend to Foe: How APT41 Weaponized Google's Red Teaming Tool?
• Breaking Down the Tactics Used by Hackers to Exploit Women's Rights in the Middle East
• Coinbase Data Breach: How Hackers Used SMS to Target Employees?
• Hacker's Favourite Brand to Impersonate in 36.6% of Phishing Attacks
• Prime Challenges of Indian CISOs
• WhatsApp Phishing: Rising Threat Via Instant Messaging App