.ZIP Domains are adding fuel to the fire. | A story about 3cx.zip | Cybersecurity News

Re-post from article written on May 24, 2023 (Original Post)

Topic: Cybersecurity News

Recently, a new Top-Level Domain (TLD) has emerged, “.zip”.

This TLD can now be easily and swiftly purchased through your favorite domain provider.

— The Backstory:

The controversy surrounding it lies in the naming convention of compressed “ZIP” files, which is a commonplace in the ICT world. Even the layperson is familiar with the convention of naming compressed files and folders as “bluefolder.zip”.

— The Concern:

In a world where IT security professionals and system administrators are constantly bombarded with the need to train, reskill, and raise awareness about emerging threats among the general public, they are now faced with an additional task.

They must retrain the layperson to understand that .zip is no longer just a naming convention for compressed files and folders, but it has become a website link.

How well do you think this transition will be received?

Moreover, we are currently amidst the greatest cybersecurity threats of our time. Staff and employees alike are entrusted with the responsibility of recognising and differentiating between “dodgy” email links, domain names, spoofed domains, and impersonation attempts, among others.

The cybersecurity burden is too great and .zip has just added to this onslaught.

— The Accidental Payload:

So, what is the real-world example of how the .zip TLD can even be a concern?

Imagine this, your internal IT team sends you the latest draft plan in a compressed file over email. The file is in the folder aptly named “BlueFolder”, to denote the compression, “.zip” is amended at the end;

BlueFolder.zip (Yes this is safe to click for the curious)

The message body goes as follows:

“Dear John Doe,

We are writing to you with our latest, most up to date security audit and compliance folder of goodness, named “BlueFolder”, inside you will find the company compliance checklist and multiple training documents to help you to better apply Cybersecure posture in your work at ECORP.

Please be sure to familiarise yourself with the contents of this folder.

Due to it being a folder and having multiple training documents, we have had to compress it. Please see BlueFolder.zip attached in email.

Kindest regards,

Your friendly Sys Admin.”

You see, even though the friendly sys admin said that the zip file is in the attachment area, the text “BlueFolder.zip” referencing it has become a link.

In all likelihood the recipient of this email will click on it without even thinking, as they require less effort to do this, than to find it in the attached files and download it… Therefore, leading to them opening a rouge website, instead of downloading the attachment.

Both the Sys Admin and the recipient have no clue what just happened. That is a concern. A big one.

— The Intentional Payload

But what about a cleverly crafted email that appears to come from a legitimate source and references a “real” attached .zip file?

If an unsuspecting recipient clicks on the linked text instead of navigating to the attached compressed file, they could be redirected to a brand-new website or domain where a myriad of malicious activities could occur.

Ranging from an insecure HTTP spoofed website asking for login credentials to Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), database injection, and more…

With this in mind, and in light of the recent 3CX supply chain attack, I thought it was ripe picking to look to see if 3cx(.)zip already been securely taken away for security reasons.

*(Update, this domain administion has been returned to 3CX)

However, to my surprise, on the 23/05/2023 at 9:00pm (AEST)

It was available, and I made sure to quickly secure it for less than $30! Ensuring that some other more sinister actor would not think like me, come along and pick it up for malicious purposes.

You see, this would be the use of such a domain as 3cx(.)zip.

The message body goes as follows:

“Dear John Doe,

We would like to inform you of a recent supply-chain attack that has affected 3CX Desktop App. The App should be regarded as malicious and uninstalled immediately, we are working in the background to try to alleviate this issue before greater impact is made.

Please check that the 3CX Desktop App is uninstalled and install the newly updated and patched version at one of the links below:

www.contoso.com/?3cx(.)zip/3CX_App_Installer.msi

or

3cx(.)zip/3CX_App_Installer.msi

or

3cx(.)zip

Kindest regards,

Your Friendly Neighbourhood Hacker.”

*(Please understand that this is JUST an example, and NOT an endorsement to attack ANY company listed here or otherwise in this manner.)

Do you see the implications of this. It is too easy.

In fact, 3cx(.)zip is not alone, there are, as of writing this article, multiple fortune 500 businesses that have their unique business name available as a .zip domain name, starting from as low as ~$30/yr.

— Concluding Thoughts

By now you should see my point. .zip is misleading and creates a confusion/ complacently of trust and security. Familiarity creates trust and trust can be exploited… Unfortunately.

It has been said that this introduction of the new .zip, .mov and others to come, TLD’s are not going to introduce any further risk when it comes to individuals falling victim to phishing and scam attacks. But, I disagree.

Just because there is an issue already, does not negate the risk for further exposure.

As well as this, the scope needs to be wider, .zip will not only lead to phishing and scam threats, but XSS and SSFR attacks with better obfuscation and better more accessible obfuscation in general.

Let us rally together to make sure that less of these TLD’s can be easily be used for impersonation attempts, phishing, scams, obfuscation or any other malicious means.

Note to 3CX: Happy to hand over as needed, just didn’t want to see this in the wrong hands for <$30. (This has since been returned to administration of 3CX.)

— Cites and References

Written and edited by Jordan Albaladejo, owner of Ingest services, with partial editing assistance of the AI language model ChatGPT by OpenAI.

Our (BlueFolder_ZIP) YouTube Video: https://youtu.be/r2sohTlGtrI