Phishing using @-URL trick in DNS .zip domains

With Googles release of the DNS top-level-domains .zip and .mov a new phishing (mitre att&ck T1566) trick is possible as bobbyrsec wrote about.

Example 1

https://www.google.com/?q=example.text  <— FQDN = google.com

Example 2

https://www.google.com/example/text/@v1271.zip <— FQDN = google.com right? No, it is v1271.zip. Because the @ character describes e.g. the authentication of the URL.

Example 3

https://www.google.com/example/text/v1271.zip <— FQDN = google.com

Reason


Source: https://cv.jeyrey.net/img?equivocal-urls


Result

So doublechecking URLs becomes harder. Using Fido2, Passkeys or password-managers (e.g. bitwarden.com) with auto-fill becomes more important because they dont fall for that trick and are more phishing-resistant.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Proxmox Update 8 to 9 does not boot anymore - black screen

Problem After I updated my Asus/Intel NUC from proxmox v8.4.14 to 9.1.6, it did not boot anymore. I followed the instructions of https://pve...