Google’s New .zip & .mov Domains Create New Risks

In an at-best questionable move, the “Don’t Be Evil” company, Google, has done something evil. Google has created new security risks by releasing eight new top-level domains (TLDs) including, .zip and .mov. Security experts are rebuking Google for introducing new attack vectors that scammers are actively exploiting.

TLDs are the final segment in a URL (such as .com, .org, .net, etc.), and they were initially designed to classify the purpose or geographic region of a given domain.

The .zip extension is commonly used in archive files that employ the zip compression format. Similarly, the .mov format appears at the end of video files, particularly those created in Apple’s QuickTime format. The concern arises from the automatic conversion of these TLDs into clickable links when displayed in emails, on social media, or elsewhere.

Security experts warn that these new TLDs cause confusion when displayed in emails or on social media, as many sites and software automatically convert strings into clickable URLs. Scammers will exploit this to trick people into clicking on malicious links.

A scam could involve the scammer registering a domain such as photos.zip and setting up a website to serve malicious content. Unsuspecting users might click on the link, thinking they are accessing a photo archive from a trusted source, only to be redirected to a scammer’s website.

This has already been illustrated when a .zip TLD was used to create a malicious URL that closely mimics a legitimate one. Spacing is added to deactivate the link.

h t t p s : // github . com ∕ kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

and

h t t p s : // github . com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

Everything between “https://” and the @ symbol in a domain name is treated as user information, while everything after the @ symbol is treated as the hostname.

Scammers are sure to exploit these new TLDs to deliver malicious content leading to successful phishing, system breaches, and unauthorized access to sensitive data. The release of .zip and .mov TLDs is creating yet another attack vector that will confuse already vulnerable users.

Acreto Solution

• Through precise file type upload and download controls, Acreto can effectively block the transfer of files that could be potential vehicles for cyber threats. By doing so, it minimizes the chance of malicious files reaching your systems in the first place. This is particularly relevant in the context of the .zip and .mov TLDs, where scammers could exploit these file types to deliver harmful content.

• By blocking potentially harmful file transfers, Acreto ensures that your digital environment remains secure, without impeding your legitimate business operations. This safety measure, combined with Acreto’s comprehensive suite of security solutions, presents a formidable shield against the potential threats posed by the evolving TLD landscape.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when it’s time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• Google has introduced new TLDs, including .zip and .mov.

  • These extensions are problematic because they are commonly associated with specific file types (.zip for compressed files, .mov for QuickTime video files), which could lead to confusion.

  • Many software automatically converts strings into clickable URLs when displayed in emails or social media.

  • Scammers can use this feature to trick users into clicking malicious links disguised as regular file downloads.

  • Attacker could register a domain like ‘photos.zip’ and host malicious content there. Users might think they’re clicking on a compressed photo file when they’re actually being redirected to a dangerous website.

• Technical Aspects of Exploitation

  • The exploitation relies on the automated transformation of strings with new TLDs into clickable links by many email or social media platforms.

  • The attack vector is based on the confusion between file types and these new TLDs.

  • The malicious process could involve a multi-step attack, from registering the scam domain to crafting a deceptive email or post, to hosting and serving malicious content.

  • The scammer could also use the @ operator and Unicode characters that resemble slashes in URLs to make malicious URLs appear more legitimate.

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.