• EN

Questionable TLD Now Available

MicoolPaul
Userlevel 7
Badge +20

Apologies if this falls foul of the community guidelines, but I believe this has far reaching implications to Veeam and beyond.

 

So, there’s a new TLD (Top Level Domain) on the block that everyone is starting to notice. .zip

yep, that famous compression file extension is somehow a TLD. It has taken no time at all to weaponise. Domains such as officeupdate.zip have been claimed, and people in the infosec community have been trying to reserve potential attack vectors such as ps1.zip.

 

The worry is that legitimate emails will be written and reference an attachment such as “Veeamsupportlogs.zip” and then the mail client will convert that onto a hyperlink. Such functionality happens for other common TLDs in mail applications already. This could redirect legitimate traffic to malicious domains.

 

The reaction to this TLD is so strong that there are already calls to revoke the TLD completely. In the meantime the best defence is to block any connections to the TLD within your networks.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social

7 comments

Chris.Childerhose
Userlevel 7
Badge +20

Wow wonder who thought that one up. Thanks for sharing.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
Viperian
Userlevel 6
Badge +6

Good catch @MicoolPaul, already seen the first attacks using .zip as Top Level Domain (TLD).

Overall, the worst ten TLDs for malicious domains, as of August of 2015, were:

  1. .zip (100.00%)
  2. .review (100.00%)
  3. .country (99.97%)
  4. .kim (99.74%)
  5. .cricket (99.57%)
  6. .science (99.35%)
  7. .work (98.20%)
  8.  .party (98.07%)
  9. .gq (97.68%)
  10. .link (96.98%)

Not all new TLDs were bad neigbhorhoods. The .church TLD, for example, had 0.84 percent "shady" sites. The .london TLD had 1.85 percent; the older .tel had 1.6 percent. And the safest of all the new TLD neigborhoods is apparently .jobs, in which a mere 0.36 percent of domain names had any hint of suspicious intent. Of course, these low percentages may be because of a small sample rate—if your employer is running deep packet inspection on your Web traffic, you might be less likely to be visiting a .church or .jobs site from work.

OCTO @ Veeam | Public Speaker | Cyber Security | vExpert '10-'24 | Blogger - vmguru.com | @Viperian
Chris.Childerhose
Userlevel 7
Badge +20

Good catch @MicoolPaul, already seen the first attacks using .zip as Top Level Domain (TLD).

Overall, the worst ten TLDs for malicious domains, as of August of 2015, were:

  1. .zip (100.00%)
  2. .review (100.00%)
  3. .country (99.97%)
  4. .kim (99.74%)
  5. .cricket (99.57%)
  6. .science (99.35%)
  7. .work (98.20%)
  8.  .party (98.07%)
  9. .gq (97.68%)
  10. .link (96.98%)

Not all new TLDs were bad neigbhorhoods. The .church TLD, for example, had 0.84 percent "shady" sites. The .london TLD had 1.85 percent; the older .tel had 1.6 percent. And the safest of all the new TLD neigborhoods is apparently .jobs, in which a mere 0.36 percent of domain names had any hint of suspicious intent. Of course, these low percentages may be because of a small sample rate—if your employer is running deep packet inspection on your Web traffic, you might be less likely to be visiting a .church or .jobs site from work.

This is interesting to see which domains cause issues.  Never realized there was so many. 😂

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
regnor
Userlevel 7
Badge +14

Who comes up with such ideas? Never thought about it but completely blocking some TLD could really make sense.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
dloseke
Userlevel 7
Badge +6

What a terrible idea….thanks for sharing!

Derek M. Loseke, Senior Systems Engineer | Veeam Legend 2022-2023 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
MicoolPaul
Userlevel 7
Badge +20

And it gets worse! There’s a .mov TLD available too, I missed the articles around this as I was so shocked by .zip

 

Feels like we need a global agreement that TLDs of common file names mustn’t be permitted, we also need a way to differentiate between extensions & TLDs better.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
marcofabbri
Userlevel 7
Badge +13

That’s a really crazy idea that TLD 😅

“Prepare for trouble, make it double” cit.

 

Backups are like pizza, I love them. | Linkedin: @marco-fabbri-it

Comment


Terms & Conditions