WTF, Google!

I did not know, until just recently, that Google was a full-fledged domain registrar, which means it can create its own top-level domains. Earlier this month, it created a bunch of them. Most are innocuous enough: .dad, .esq, and .phd, for example.

But then they added .zip and .mov, and those are a problem. A big problem. 

As pointed out by Steve Gibson in this week's episode of Security Now!, it opens the door to new and very hard-to-detect phishing and malware attacks. From Steve's show notes for the episode:

In other words, threat actors are creating realistic-looking phishing landing pages using modern web tools HTML, CSS and JavaScript which mimics legitimate file archive software, hosted on a .zip domain to elevate social engineering campaigns. In a potential attack scenario, a miscreant could redirect users to a credential harvesting page when a file which is apparently “contained” within the fake ZIP archive is clicked. mr.d0x noted: “Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file. Let's say you have an “invoice.pdf” file. When a user clicks on this file, it will initiate the download of a .exe or any other file.”

Additionally, the search bar in the Windows File Explorer can emerge as a sneaky conduit where searching for a non-existent .ZIP file opens it directly in the web browser should the file name correspond to a legitimate .zip domain. Mr.d0x said: “This is perfect for this scenario since the user would be expecting to see a ZIP file. Once the user performs this, it will auto-launch the .zip domain which has the file archive template, and able to appear legitimate.”

The problem, of course, is that the new .ZIP and .MOV TLD’s are also both legitimate file extension names. This invites confusion when unsuspecting users mistakenly visit a malicious website when they believe that they’ve opening a file. They could then be misled into downloading malware.

For more technical details, see this article by security researcher, Bobby Rauch. 

If you are using Firefox, you may be safe from an attack exploiting this feature. Chrome users may want to install this extension.