Google TLDs: some security controversy
I’ve been seeing a certain amount of panic about Google’s inclusion of .zip and .mov in its recent launch of eight new Top Level domains (TLDs). While I don’t think adding to the list of TLDs that can be confused with filename extensions, I think the risks may have been overstated by some companies with a commercial interest.
Some years ago, back when I had to watch out for this sort of stuff, there was an issue with massmailers using .com attachments and trying to pass them off as links to .com websites, though it was fairly shortlived, if I remember correctly. It’s likely that some scammers will try to do something similar or even the reverse with the new domains, and there have been reports of .zip domains being bought and used for proof-of-concept phishing trials, notably this one from Netcraft. What’s more, the SANS Internet Storm Centre seems almost amused to report the setting up of a .zip site by a somewhat greyhat site. (Long time since I felt the need to check out the ISC: I thought I was retired from all this.)
Greyhat? That’s site or individual that leans further towards the practices of a full-blown blackhat op than a whitehat or ethical hacking op. The definitions of any of these are not set in stone, but I’d include some of the less public investigations of security teams like law enforcement and antimalware labs somewhere in the whitehat zone. And SANS itself has been known to lean a little too far for my taste into the greyhat zone. My own association with the organization was cut short when I objected to their making public trivially-modified virus code.
For The Register, Thomas Claburn is fairly relaxed about the issue: Don’t panic. Google offering scary .zip and .mov domains is not the end of the world. Wired is not panicking, but is a little less relaxed: The Real Risks in Google’s New .Zip and .Mov Domains.
Or there’s this article by Eric Lawrence, which seems to cover most of the issues from a more informed viewpoint: New TLDs: Not Bad, Actually.
I’m no longer in the industry and don’t track this sort of stuff, so I’m too out-of-the-loop to offer anything like expert opinion. However, the companies that make mail clients, browsers, and security software are already aware of this sort of issue. And while I don’t trust Google to make the best decisions, I’d be astounded if the company hadn’t already discussed this with other security-conscious organizations. Certainly the antimalware labs will have been looking at the implications. In any case, any time you open an attachment or visit a new site, there is a risk, whatever the file extension or domain name is, but you can reduce it with caution and competent security software.
David Harley
*** This is a Security Bloggers Network syndicated blog from Check Chain Mail and Hoaxes authored by David Harley. Read the original post at: https://chainmailcheck.wordpress.com/2023/05/21/google-tlds-some-security-controversy/
