New Top Level Domains .zip and .mov open the door for new attacks

New Top Level Domains .zip and .mov open the door for new attacks

2726
Created On 05/24/23 20:02 PM - Last Modified 08/22/23 17:16 PM


Question


Why are there new domains ending in .zip and .mov and how can I block them?

Environment


  • URL Filtering
  • PAN-OS

Answer


The introduction of Top Level Domains (TLDs) such as .zip and .mov by Google on May 3, 2023, has raised significant concerns within the cybersecurity community. Extensive coverage on this topic exists, and while this article will not delve into exhaustive details, it aims to underscore the inherent risks associated with these new domains and provide guidance for safeguarding oneself against potential threats. For additional information, a list of references is provided to facilitate further exploration of this subject matter.

  1. Rise in Phishing and Malware Attacks: The emergence of .mov and .zip domains has expanded the attack surface for cybercriminals, enabling them to launch more sophisticated phishing campaigns and distribute malware. This presents a greater risk to users who may unknowingly download malicious payloads or unknowingly disclose sensitive information.

  2. Concealed Malware Delivery: Cybercriminals now can craft convincing emails using .mov and .zip domains, disguising malicious payloads within seemingly harmless multimedia files or compressed archives. This technique makes it harder for users to identify potential threats, increasing the likelihood of inadvertently downloading malware.

  3. Deceptive Domain Registration: The availability of .mov and .zip domains offers cybercriminals an opportunity to register deceptive domains that closely resemble legitimate websites. Exploiting this similarity, attackers can deceive users, manipulate them into revealing sensitive information, or spread misinformation, posing a significant threat to online security.
     

Someone wrote in a blog about this threat and provided two URLs.  One of these URLs is a legitimate link to download a zip file from GitHub, and the other is a fake one that leads to a scammer’s website.  Can you figure out which one was the bad link?

https://github[.]com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip https://github[.]com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

That’s right, it was the second one. If you look closely, you’ll notice some subtle differences. The scammers used an “@” symbol and Unicode slashes to make a domain that looks very similar to the real one but could actually download harmful software.

What can be done to protect my network?
Probably the best method to protect yourself and your customers is to use URL Filtering.  By utilizing wildcards, you can create a Custom URL Category and subsequently add it to one of your URL Filtering Profiles, configuring it with a "Block" action. To effectively leverage wildcards, incorporate *.zip/ and *.mov/ within your Custom URL Category definition.

Additional Information


References:

  • https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/custom-url-categories
  • https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/block-and-allow-lists
  • https://www.kaspersky.com/blog/zip-mov-domain-extension-confusion/48254/
  • https://www.darkreading.com/endpoint/google-zip-mov-domains-social-engineers-shiny-new-tool
  • https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/
  • https://www.youtube.com/watch?v=V82lHNsSPww
  • https://www.youtube.com/watch?v=GCVJsz7EODA&t=332s
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1wOCAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail