Beware of .zip Domains: Phishing Risks and Unicode Confusion

Beware of .zip Domains: Phishing Risks and Unicode Confusion

In the vast landscape of the world-wide web, where new domains continually occur, it's crucial to stay alerted and informed about potential risks. One such relatively newer domain extension is .zip, which, when used maliciously, can lead to phishing attacks and scams. In this article, we will explore the dangers associated with .zip domains, with a particular focus on the use of different Unicode characters that can cause confusion and simplify fraudulent activities. Let's dive into the potential risks and how we can avoid them.

There are .zip domains?

Before we dive into the specifics, let's quickly grasp the concept of .zip domains. These domains are relatively new and have gained popularity due to their association with file compression formats. However, not all .zip domains are created equal. While some serve legitimate purposes, others can be used as a disguise for phishing attempts and malware distribution.

The Unicode Character quirk

One of the primary concerns with the use of .zip domains lies in the use of Unicode characters that can be easily mistaken for common characters in URLs. Now, replacing different characters in a URL that is set up for phishing is absolutely nothing new, but the new domain makes it a bit more interesting here. In the example URL: "https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip," you may notice the presence of the '@' sign and the division slash (U+2215) instead of the Solidus (U+002F). This is where the confusion begins.

The '@' sign, commonly associated with email addresses, has no direct relevance in a URL anymore. Back in the day, for example, it was used to provide a username and password. However, since this is in no way secure, you should not do this. Yet, clever attackers exploit this by employing Unicode characters, such as U+2215 (Division slash), U+2044 (Fraction slash), which visually resemble the '/' character (U+002F) because now the beginning of the URL is seen as a username, for example, and you are redirected to v1271.zip. This subtle manipulation can deceive even aware users into believing they are visiting a legitimate website.

The Phishing Trap

Phishing attacks thrive on tricking unsuspecting users into revealing sensitive information or downloading malicious content. Attackers leverage the confusion caused by Unicode characters in .zip domains to create URLs that closely resemble trustworthy sources, such as well-known software repositories, cloud storage providers, or legitimate file archives.

For instance, consider the legitimate URL "https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip". It points to an open archive .zip file on GitHub. However, a phishing URL like "https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip" with Unicode characters subtly replacing the forward slashes can lead users to unwanted behavior. They may unknowingly land on a malicious website or download malware, jeopardizing their systems and sensitive data.

Protecting Yourself from these phishing attacks

Given the risks shown by .zip domains and the potential for Unicode character manipulation, it's essential to adopt preventive measures to stay safe. Here are some tips to help you mitigate the risks:

  1. Be vigilant and double-check URLs: Always question URLs carefully, especially when downloading files or accessing sensitive information. Pay close attention to the presence of unusual characters or any deviations from the expected format.
  2. Verify the source independently: Rather than relying solely on a URL, cross-reference the information from official sources. Visit the website directly by entering the known, legitimate URL manually or through trusted bookmarks.
  3. Hover before you click: Hover your mouse cursor over a hyperlink to reveal the actual URL destination in the browser's status bar. Verify that the displayed URL matches your expectations and doesn't contain any suspicious characters or variations.

Sources

The Dangers of Google’s .zip TLD - https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5