|
The new ".zip" domain is being used almost solely for malware. Some of the clicks are very deceptive, even to technically knowledgeable people. See the attached image for an example. You can block all zip domains with the following uBlock Origin rule: ||zip^ Tell everyone you know. 57 comments
@EnaWasHere @threetails @suprjami @bjb Both are true. Fake slashes make everything before the @ a “username” and v1271.zip the domain name.  @EnaWasHere @bjb @suprjami it's the @. Everything between http(s):// and @ in interpreted as a username and potentially a password, the part after the @ is the host and path. @dragonfrog @EnaWasHere @bjb @suprjami That's not quite right, the username/password part cannot contain (amongst other things) forward slashes. This attack is relying on using a unicode character that looks like a forward slash but isn't one. @jribbens @EnaWasHere @bjb @suprjami I see, it's both the @ and the pseudo-slashes. Thanks for pinning that out. @bjb @suprjami so basically this is yet another occasion where unicode hurts instead of actually helping.. why can someone register a domain with deceptive symbols in it?? @tizilogic @bjb @suprjami This attack doesn't involve unicode domains - there are unicode characters involved but they're not part of the domain name, which is entirely ascii.  @celesteh @suprjami see here, the / in the first url are not real / https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5 @celesteh@lgbt.io @suprjami@fosstodon.org  @suprjami@fosstodon.org actually the slashes do not match either, i thought that was the catch @suprjami What browser are you seeing the @ URL treat v1.27.1.zip as the domain in? I can only get it to work with pretty trivial URLs; as soon as there's a slash in the username portion, it's detected as the domain/path portion by chrome/safari/curl. As far as I can tell, but anything more complicated, like the example you posted, cannot -- e.g.  @suprjami I've also updated the DROP blocklists: https://github.com/greyhat-academy/lists.d/blob/main/drop.domains.block.list.tsv @suprjami It feels the real mistake here was allowing the whole of unicode in domain names. Perhaps select one language for each URL and stick with it but mixing 10000 different symbols is going to lead to weird stuff like this @dragonfrog @sjb @suprjami no, it's been pointed out elsewhere in the replies that this only works if you use Unicode characters that look like ASCII slashes but are not. Know your rights. Never say anything above a whisper that you don't want god to hear. She is listening. @suprjami and if I need to download something then I must do...? I mean, seeing the attached img I don't know what's the malware. Slashes are a bit different from the first one but I don't know, not a thing I would see downloading something faster. And I don't know how to apply that filter you writed, either. @suprjami Who in the world thought it would be a good idea to allow characters that look like slashes in domain names ? 😬 @suprjami Here's the blog this is screencapped from https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5 @suprjami Content of image:  @suprjami @tequt @suprjami @casuallynoted the one with the @. It indicates everything that comes before it is a username for HTTP Basic auth, the domain is only what comes after.   @suprjami could you add alt text to this screenshot when you have a chance, pretty please? @suprjami There are so many replies by technically inclined people (well, looking again, one person) thinking those U+2215 division slashes are regular slashes and therefore the @ isn’t parsed correctly, even with a font showing a difference. All the more reason to take it seriously. My browser does show %E2%88%95 when I hover over the link, even if specified as straight Unicode. That’s another viable tell. @suprjami Sadly not surprised it took off like this. Maybe this will give me an excuse to finally get a Pihole running on my network to block these. I've mainly avoided doing so because of the whole manual process of disabling/whitelisting stuff for which a lot of legit sites still need to function correctly. @suprjami Extra note: Test your filtering rule by trying to open this test domain: https://canigothere.zip/ If you can open it without getting stopped and see the message, your block isn't working.  @suprjami what's even better is that google use sliding scales for how much any given .zip domain costs.. $dayjob bought one (not a super generic word, but is an umbrella brand we use) for 48 bucks, other versions of the same brand word (but separated out into their two component words) are 680 for one, and 1480 for the other. Per year. The domains are utterly useless to us, but buying them _might_ reduce some phishing, maybe. Google, in my opinion, can frankly go get F'd, the greedy @#$%ers |
Gregory's Server
@suprjami
The slashes in the path part of the first url look different than the slashes in the scheme and everywhere in the second url. So my guess is that the first url is the malicious one.
I would have missed it if I hadn't been looking for a difference though. Thanks for the info.