Comment

Comment on Welcome to Lemmy.zip

<- View Parent

possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago

It seems more like a issue with applications honestly

DNS shouldn’t be the source of a compromise

source

Sort:hotnew top

swizzlestick@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
And a TLD shouldn’t be so easy to mistake for one of the most recognisable filetypes ever, yet here we are. Well made apps discern between a zip file and a zip web address without issue. The problem, as usual, is in the human element:

Register a zip domain called holidayphotos2025.zip, 2025ProductData.zip or whatever hook you’re going for.

Serve up whatever malicious garbage you like on it. Spoofed login pages, browser exploits, anything goes.

Email it out from an already compromised account to all account contacts, removing the https component of the link text. Bonus points for imitating how an attachment would look in the target email client.

Watch the clicks roll in as people try to open the ‘attachment’.

Having .zip in the string and in the link visible on hover could be all that is needed to ‘sell’ it to a user that makes a cursory glance before clicking - nevermind the ones that just click anyway. Plenty of folk have fallen for more obvious traps than that, so it’s a winner for a bad actor. Any trick that lends legitimacy to a scam increases the chance of success. Users savvy enough to check but not enough to spot the discrepancy may also have more data interesting to an attacker.

Blocking .zip TLDs wholesale at DNS level kills this even if the first and hardest hurdle (getting the user to click) is cleared. I’ll concede that it is an edge case in the grand scheme of things, but why leave the hole open when it is so easily plugged?
source
- possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  I still don’t see how that is an issue. If someone clicks on a link from a email and then gets compromised there is a bigger issue.
  
  source
  - swizzlestick@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
    Throw enough people at something, and one of them will fail. The more people, the higher the chance.
    
    Perfect people in a perfect world would not need fire extinguishers, seatbelts, helmets, endpoint protection software, or TLD level blocks. You can try to train the problem out of people, but the threat still exists, mistakes can be made, and the next 0day might be just around the corner.
    
    I’m not a fan of sorting people problems out with tech based solutions either - I see your point. The pragmatist in me will take that over dealing with the fallout of user error though.
    
    source