ADVERTISEMENT

We help teams move faster The first project management platform built for users by users.

PUBLIC DEFENDER

By Brian Livingston

The security community is up in arms, because Google this month started selling domain names with deceptive endings such as .zip and .mov.

Even worse, some browsers are allowing usernames and passwords to be embedded into URLs. This means following a link can expose users to viruses without any explicit action (such as clicking “OK”).

Internet-standards bodies years ago prohibited usernames and passwords in URLs — but hackers still do it.

Figure 1. This month, Google started selling domain names that end in “.zip,” “.mov,” and other familiar-sounding extensions. Source: Google webpage

And the official Internet Corporation for Assigned Names and Numbers (ICANN) has enthusiastically added misleading top-level domains (TLDs) such as .zip and .mov to the 1,640 other TLDs from which the organization already collects registration fees.

The outrage began a few days ago, when Google announced that it was starting to sell domain names in eight new TLDs that ICANN had licensed to the search giant. Someone in Mountain View obviously thought domain names in the following TLDs would sound groovy. More importantly, the novel domains would cause people to buy a lot of such names from Google for $15 a year and up:

No one really needs vanity domain names such as these. But their flimsy rationale is not the point. The big problems relate to the last two TLDs in that list. For instance, filename.zip sounds exactly like a compressed document, and starwars.mov sounds exactly like a clip from a motion picture.

But, in fact, both of those names — and potentially thousands more that Google will sell — would not be the filenames of actual documents or movies. Instead, clicking a URL containing such strings would take a user’s browser directly to the home page of a hacker’s website. The website might be named filename.zip, starwars.mov, or some other variation that we might never suspect. (IRS.zip, anyone?)

During an innocent user’s visit to such a website, some random document or movie clip might actually be downloaded. This would make it appear to the user that nothing unusual had happened. But that decoy download would occur only after an infected executable had been silently installed on the user’s device.

The infinite possibilities for deception have been outlined by Bobbyrsec, the Medium handle of a well-known security researcher.

He shows one frightening way hackers can use the new .zip domain names. The technique involves Unicode characters that look almost precisely like the slashes we see in URLs every day. But instead of slashes, these “diagonal” Unicode characters mask the fact that the last thing on the line is actually a website, not a filename.

Figure 2. When clicked by a user, Line 1 downloads a legitimate ZIP file. Line 2 replaces slashes with Unicode character 2215, sending the user to a website named v1271.zip that may silently install a virus. Line 3 shows how impossible it can be to notice a hacked URL. The crucial “@” sign in Example 2 has been formatted in Example 3 as 1-point type. The result is a gray speck that’s barely visible. Source: Illustration by author based on Medium article

In Figure 2, Unicode characters 2044 and 2215 look so much like ordinary slashes that most Web users would never notice the difference. These diagonals do have legitimate uses. One is written by mathematicians to form fractions (e.g., 4/5ths). The other is used in formulas to represent division (10/2=5).

The second line of Figure 2 uses these characters as bogus “slashes.” The true destination of the URL is a website we’ll call v1271.zip. (The example is not a real website.) That domain name would belong to a hacker’s server. It wouldn’t be a legitimate .zip file of the open-source software known as Kubernetes.

A weakness in Chromium and some other browser technologies accepts deceptive letter-like shapes in URLs. The flaw was first described as long ago as February 2016 in a Chromium.org bug report (see Issue 584644). The vulnerability was soon rated “WontFix” by admins.

An essential aspect of the hack is shown in lines 2 and 3 of Figure 2. Unknown to most Web users, browsers generally ignore everything in a URL that precedes an “at” sign (@). This feature is exploited by hackers. They post what look like valid Internet paths, such as github.com/kubernetes. The true payload — v1271.zip — is cleverly placed at the URL’s end, where it looks like a typical ZIP file. (This is not the @ sign that’s familiar to us from email addresses. It’s what software engineers call a URL delimiter.)

To conceal the “at” sign, hackers can format the text of a URL so the crucial character is formatted as small as 1 pt. As shown in Example 3, that makes the @ so small that’s it’s nothing but a tiny gray pixel on-screen. Most people would never notice it.

Despite the howls from the security community, Google is still selling .zip and .mov domain names at this writing. In fact, the search giant has gone to some lengths to defend its promotion of unusual extensions. In a statement, Google says:

The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing). These mitigations will hold true for TLD’s such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip.

This explanation sidesteps the fact that command.com sounds like an executable file. Many Web users would exercise reasonable caution before clicking such a name.

By contrast, filename.zip and starwars.mov sound like mundane data files that users might not suspect. And there will soon be thousands of such alluring names — not just a single instance such as command.com.

Is this the worst hack ever? In a word, no. We’ll still continue to find ourselves besieged by the usual Trojan horses, spear-phishing spoofs, identity thefts, denial-of-service attacks, deepfake videos, and other miracles of our technological age. Google didn’t start the fire. Its choice of clever domain
names will just throw one more log onto the blaze.

Browser and antivirus vendors are already taking steps to stop the new domain names from getting out of control. For instance, Mozillazine.org maintains a database of “blacklist characters” that browsers should not accept in URLs. The number of banned bytes is now up to 188, with the inclusion of Unicode characters 2044 and 2215.

Whether we know it or not, all of us benefit to some degree from Web block lists. They might be compiled by browser makers, by our company’s IT department, or by our own reticence to click on sites we’re not sure of. Those defensive measures help a great deal. But staying one step ahead of hacker gangs is a never-ending battle, unfortunately.

What should you do about new domains such as .zip and .mov? You or your company may want to block every site using these TLDs — except for specific ones you’ve investigated and found to be legitimate. This may be a case when a domain name should be considered guilty until proven innocent.

	Do you know something that we all should know? Tell me about it! Send your story in confidence to publicdefender@askwoody.com.
	Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new fintech book Muscular Portfolios. Get his free monthly newsletter.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.