Google has opened up the possibility of registering custom domain names based on .zip and .mov TLDs: malicious users have already started taking the opportunity to launch new phishing campaigns.
With the domain name liberalization first tier by ICANN has opened up enormous opportunities for companies but also for cybercriminals themselves.
ICANN (Internet Corporation for Assigned Names and Numbers) is an international non-profit organization responsible for managing and coordinating the Domain Name System (DNS) globally. The liberalization of top-level domain names refers to ICANN’s decision to introduce new TLDs (top-level domain) top-level generic (gTLDs) beyond traditional TLDs like “.com”, “.org”, and “.net”. This liberalization happened in 2011 when ICANN started the program New gTLDallowing for the introduction of a wide range of new TLDs.
With the program New gTLD, dozens of customized top-level denominations have been introduced: the complete list, which also contains the historical names, can be consulted in this text file. In another article we have seen the possible uses of a custom domain and clarified the role of registry e registrar.
As the number of globally usable gTLDs has increased, so has the number of registry o “registries”: these are the organizations and entities that have the authority and responsibility to manage and maintain the central database of top-level domain names (TLDs). The registry controls the assignment and the domain name registration within a specific TLD.
Conversely, the registrar is an organization or company that acts as an intermediary between end users and the registry. The registrar is authorized by registry to register domain names in the name of customers. The people or companies who want register a second-level domain name based on a specific TLD, they have to do it through a registrar credited.
What threats can come from .zip and .mov domains
By querying ICANN’s public database, it turns out that for gTLDs .zip e .mov the competent registry is Charleston Road Registry or a company registration of top-level domains which is part of parent company Google. In fact, recently Google has opened up the possibility for end users to request the registration of second-level domain names using new TLDs, including .zip and .mov.
In fact, the Mountain View company also offers the Google Domains service in Europe, allowing its users to acquire ownership of a domain name, manage the related record DNS and build services around the chosen second level.
Google had stipulated a contract with ICANN since 2014 for the management of the .zip and .mov domains but only recently, together with other gTLDs, their use has been publicly open to the public (obvious, for example, that the company headed by Sundar Pichai will keep domains like .google e .youtube).
It is reported from many quarters that cybercriminals are registering .zip and .mov second level domains with the precise aim of launching phishing attacks and mislead users. Take for example theimage shared by researchers of Silent Push Labs: as you can see, in this case the attackers have registered domains that use the terms microsoft-office e microsoft-office365 together with the .zip gTLD. The goal is evidently to induce victims to believe that these are domain names owned by Microsoft and to introduce them to login credentials and personal data.
Also look at the experiment conducted by researcher Bobby Rauch: can you tell which of the two links that appear to refer to GitHub is malicious and points to a malicious file? You would probably have some difficulty.
In fact, try to take a look at the HTML source of the page: using Unicode characters in the URL together with the character delimiting the username in an address (@) it is possible to show a link but at the same time direct the user to a malicious file hosted on a .zip or .mov. The technique is “subtle” and can become a real bomb in the hands of cybercriminals and individuals who engage in phishing activities every day.