Future Exploitation Vector: File Extensions as Top-Level Domains

From trendmicro.com

In May 2023, Google launched eight new top-level domains (TLDs) that included .zip and .mov. Although seemingly harmless at first glance, it sparked discussion and debate across the internet since these domains can pose security risks due to cybercriminals exploiting them for malicious purposes. In this blog entry, we will examine these security risks while also providing best practices and recommendations on how both individual users and organizations can protect themselves from these hazards.

Primary security concerns

Hiding malicious URLs behind legitimate websites

The use of legitimate websites for masking malicious URLs to avoid detection and minimize suspicion is a technique that cybercriminals have used for a long time. These websites are often used as referrer URLs that redirect to the malicious URLs. In the case of the .zip TLDs, one of the things that make it a potential security concern is the use of the @ operator on a website URL.

In an example provided by Medium’s Bobby Rauch, accessing the URL shown in Figure 1 will direct a user to bing.com instead of google.com. This just means that the URL before @ is, in practice, ignored and just act as a mask, whereas the one after the symbol is the actual target URL. In other words, the ” is just a delimiter.

Read more…