Phishing using @-URL trick in DNS .zip domains

With Googles release of the DNS top-level-domains .zip and .mov a new phishing (mitre att&ck T1566) trick is possible as bobbyrsec wrote about.

Example 1

https://www.google.com/?q=example.text  <— FQDN = google.com

Example 2

https://www.google.com/example/text/@v1271.zip <— FQDN = google.com right? No, it is v1271.zip. Because the @ character describes e.g. the authentication of the URL.

Example 3

https://www.google.com/example/text/v1271.zip <— FQDN = google.com

Reason



Result

So doublechecking URLs becomes harder. Using Fido2, Passkeys or password-managers (e.g. bitwarden.com) with auto-fill becomes more important because they dont fall for that trick and are more phishing-resistant.

No comments:

Post a Comment

Cribl - Change values to lowerCase

Some logs (e.g. Microsoft Azure) sometimes are not fully normalized to all lowercase characters. You can use Cribl to adjust those values by...