For many years, the internet was populated by just a handful of “top level domains”, or TLD’s: .com, .net, .org, .gov, .mil and .edu. You might also realize that we use dotted suffixes to denote computer file types, like .txt, .doc or .pdf. It would make sense to try to avoid ambiguity there, right? Unfortunately, two new TLD’s have just been released that match common file type suffixes: .mov and .zip. And the ambiguity is already being exploited by bad guys.
Exploiting the Ambiguity
Top level domain names were supposed to give you an idea what the sites were about. Commercial sites ended with .com, like yahoo.com or amazon.com. Public organization sites, often non-profits, ended with .org like eff.org. And so on. But as the internet became the most massive money-making machine we’ve ever seen, the powers-that-be decided we needed more top level domains. There are now over 1500 of them, including .wtf, .ninja, .fish, and .pizza. I’m not kidding.
But two recent additions to the list of TLD’s are proving to be problematic because they match popular file name extensions: .mov (a “movie” file) and .zip (a compressed file). And evil-doers are already using this ambiguity to trick people into downloading infected files or taking people to malicious websites. If you received a text message or email with a link like https://icloud.com/carey@funfile.zip, you might look at it and think “this is a file from Carey’s iCloud account called funfile.zip”. Nope. If crafted maliciously, this would actually take you to a website called funfile.zip. (If you care to know the details of this trick, see this article.) That website might then trigger a download of a virus-laden file.
We may also see bad guys registering malicious website domains that correspond to common file names like setup.zip or myproject.mov, and then hope that your messenger or email app will helpfully turn that into a clickable link (because it’s a valid website name now).
Mitigating the Risks
Your main mitigation for this risk is just being careful what you click on – as you should be doing already. Don’t blindly click on links, even from people you trust. Email addresses and phone numbers can be spoofed. Accounts can be hacked. If you see something with .zip or .mov in the URL, be suspect. As this guy from Citizen Lab put it, “the chance that new .zip and .mov domains mostly get used for malware attacks is 100%.”
If you want to go for the nuclear option, you could use a tool like uBlock Origin to block all links to websites from these top-level domains. If you want to go this route, it’s similar to the way we blocked Google popups, but you’d enter the filter manually. To do this, open the “My Filters” tab and directly add filters that looks like this:
||zip^ ||mov^
Some have said that we’re overestimating the risk, but my guess is that we’ll see these domains being treated more carefully by our apps. Browsers may build in safeguards for these new domains, maybe popping up a warning before navigating to these sites. Messenger and email apps may decline to turn these domains into clickable links automatically. In my mind, this is a mess and it should have been avoided.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!
