Alert for new pages activated by Google: this is how they steal your data with “.zip” sites.

Share This Post

- Advertisement -

Google last week enabled eight new domain extensions for web pages that generated warnings: just as there is .com or .net, now you can register sites ending in .zipwhich gets confused with the famous compressed files and opens the door to a new form of scam.

- Advertisement -

The problem arose from an official post from Google announcing that you can now buy websites with names ending in 8 new extensions: .dad, .esq, .prof, .phd, .nexus, .foo, .zip and .mov. (the latter, also problematic, since it is historically a video format).

The problem is that all of this leaves bad actors on a plate to develop campaigns steal data through phishing: “When we talk about phishing, we’re referring to the practice of getting people to reveal their personal and confidential information, whether it’s passwords, credit card numbers or banking information,” explains Agustín Merlo, computer security researcher.

- Advertisement -

“To achieve this, an attacker can use different techniques such as sending fake emails or messages and creating sites similar to the ones we frequent. In all of these cases, the attacker is pretending to be a person or entity we trust,” adds the security expert. malware (virus).

Now, with the ability to have .zip web pages, this adds a new attack vector.

What is a domain extension

Now .zip is not only a file extension, but also a domain extension.  Shutterstock photos

Now .zip is not only a file extension, but also a domain extension. Shutterstock photos

To understand what dangers it poses, the first thing to understand is what has enabled Google. Internet domains are unique names given to web pages and have extensions. What Google did was admit the new Top level domains.

“Internet domains are divided into several names separated by dots, such as clarin.com or argentina.gob.ar, where it goes after the last dot it is called a TLD. Initially there were some such as “.com” for commercial companies and “.gov” for government entities. So the “cTLDs” of double digit countrieslike ‘ar’ for Argentina or ‘uy’ for Uruguay”, explains to this medium Maximiliano Firtman, programming expert.

Now, “there is a business model under the name of Google registrywhere some gTLDs were registered for their own use, such as .google and others to lease and do business with it,” he recalls.

“A few years ago, the international organization that manages these domains added generic gTLDs where anyone who pays a royalty of several tens of thousands of dollars a year can get a ‘bet anything’as long as it’s not offensive and isn’t confused with a country: that’s why so many have appeared lately like ‘.online’, ‘.cafe’, ‘.gratis’, etc.”, adds the teacher, founder of the IT Master Academy.

Therefore, this that “anything” can be a domain presents a problem for this decision made by Google.

“Zip”, the famous file compression

Together with ".rar", they are the two most popular forms of compression.  Photo: Shutterstock

Together with “.rar”, they are the two most popular forms of compression. Photo: Shutterstock

A .zip is a file compressed which is used to reduce the size without losing information, very useful for merging several files into one. They are widely known and used in the workplace and are usually opened with programs such as Winzip, Winrar or the native Windows file extractor.

But a file is one thing and a web address (URL) is another: “The existence of .zip domains will one more tool that plays in favor of cybercriminals phishing because in some cases it is necessary to understand some technical terms to identify the error in a fake link”, warns Merlo.

Integrates Cristian Borghello, IT security specialist at Segu-Info: “Although this type of deception has always existed with the .com and .com.ar domains, this makes it easier for the criminal to deceive the user. As we know, the popular .zip file compression extension is easily identifiable: having a .zip domain can make it look like you’re downloading a file”.

“Given this belief, the user could enter to download their supposed files, but in reality they would enter a fake domain where they could download malware or be asked to provide credentials or some kind of sensitive information,” he adds. The big problem, then, is that an attack vector is added that didn’t exist before.

In fact, only two weeks have passed since Google’s official announcement and harmful cases have already been detected. clarion contacted Jaime Restrepo, hacker and founder of Dragonjarwho published an article explaining a specific case.

“.zip domains are already being exploited by cybercriminals to create compelling web addresses that look legitimate and direct ‘download’ a .zip file. This is achieved by using Unicode characters [un estándar de caracteres ]which look like the legitimate forward slash (/), trick browsers so they interpret everything after the ‘@’ as the path, ignoring the server part of the URL,” he explained.

“For example, I registered the v17.zip domain and by replacing the barcodes with Unicode codes, it creates a URL that looks almost identical to a legitimate one. This problem is exacerbated with the current versions of the WhatsApp apps for iOS and Android, as they treat the entire domain as a clickable linkincreasing the risk of falling into deception,” he adds.

“The replacement of / with other similar characters has been with us for more than 20 years, but its use by the .zip and .mov domains has exploded, making it more complex to differentiate between domains”, clarifies the expert.

How to protect yourself

Never provide sensitive data on external pages.  Photo: Shutterstock

Never provide sensitive data on external pages. Photo: Shutterstock

There are a number of guidelines to keep in mind that, strictly speaking, matter for browsing in general and not just with this type of web address.

“It all leads to the same point, which would be the ultimate phishing site and the best thing you should do to dismiss it is always check the domain name first to enter their private information,” suggests Merlo.

The expert adds a series of keys to take into consideration:

  • Have Attention and distrust in receiving emails, messages or phone calls without having requested them in advance.
  • Do not fall into the state of “Urgency”, criminals will want you to be afraid of a possible blocking of your account, this is so that you spend less time analyzing what is happening.
  • To examine the mail, who sends the mail, and whether the links in it redirect to the correct site.
  • Avoid click on a link and open a new tab to access the entity’s website on your own.
  • Before entering private information on a site always validate that the domain is correct, that it has “https://” and is not highlighted in red.
  • Having a antivirus installed and with up-to-date updates If in doubt, contact the company or agency directly

“It is important to stay informed about the latest tactics of cybercriminals and to be cautious when browsing the Internet. Always check URLs before clicking on it is a particularly important practice if you receive emails or messages from strangers”, concludes Restrepo.

With or without this measure from Google, you must always be vigilant: scammers cast the net among thousands of users. As long as a small percentage falls into the trap, they are finished.

Source: Clarin

- Advertisement -

Related Posts