In the ever-evolving landscape of cybersecurity, new threats emerge constantly, requiring proactive measures to ensure the safety of online environments. A Canadian Shared Security Operations Centre (CanSSOC) advisory recently highlighted the potential risks associated with the misuse of top-level domains (TLDs). This article explores the concerns CanSSOC raised and presents an effective solution, CIRA DNS Firewall, that can help mitigate these risks.
Understanding the risks
The CanSSOC advisory emphasizes the introduction of eight new TLDs by Google in May 2023, including seemingly innocuous ones like .dad, .esq, .prof, .phd, .nexus, and .foo. However, it is the .zip and .mov TLDs that have captured the attention of the community. They are concerned because .zip and .mov are common file extensions, making them susceptible to misuse by malicious actors seeking to create convincing phishing links.
The advisory provides the following examples to illustrate the potential threats:
Consider this link, which leads to a legitimate zip archive hosted on GitHub and behaves as expected:
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
Now consider this deceptive link:
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
This link will redirect the user to https://v1271.zip to launch a cyber attack. To make these phishing links appear authentic and deceive unsuspecting users, attackers leverage Unicode characters, particularly the @ symbol and the Unicode characters U+2044 (aka Fraction slash) and U+2215 (aka Division slash). The advisory also describes the clever tactic of altering the font size of the @ symbol to make it almost invisible. For example, the @ symbol in the above deceptive URL when reduced to font size 1 makes it look like the following:
In doing so, the @ symbol still functions as part of the URL but leads users to malicious destinations.
The technique used to form such deceptive URLs exploits the following two characteristics of URLs:
URL interpretation: everything preceding the @ symbol in a URL is considered user information, such as login credentials and everything after is treated as a hostname.
Unicode character bypass: forward slashes (/) are not allowed in user information and would cause the browser to interpret everything following the slash as the hostname. However, attackers circumvent this limitation by using Unicode characters U+2044 or U+2215 both of which resemble the regular forward slash (/) but aren’t treated as such by the browser. For example, the URL https://google.com∕gmail∕[email protected] would direct the user to bing.com instead of google.com, exploiting the Unicode character to deceive the user.
Techniques like this make it more challenging for users to identify potential threats and increase the probability of them unknowingly interacting with harmful content.
Debate among security researchers
The emergence of these new TLDs has sparked debate among security professionals regarding the level of risk they pose. While some argue that existing browser protections and defensive measures can adequately safeguard users, others believe that these new TLDs are making combatting cyber threats even more complicated. In fact, some .
All this comes while more and more Canadians worry about the risk cyber attacks pose to them. CIRA, to advance Canada’s national conversation about the internet’s role in our daily lives, publishes its Canada’s Internet Factbook survey on an annual basis. The 2023 factbook shows that concerns about malware have kept increasing consistently. Three-quarters (75%) of survey respondents are concerned about malware, up from 66% in 2022. In fact, 19% of the respondents say they have been the victim of a successful cyber attack. The survey also shows that over one-third of the respondents (34%) reported using cybersecurity tools or services to increase their online privacy and security.
How a DNS Firewall can help
A DNS security solution, such as CIRA DNS Firewall offered by , can effectively combat the threats the misuse of TLDs pose. This innovative service empowers IT professionals such as system admins and security operations personnel by allowing them to block specific TLDs at an enterprise level, including those that resemble common file extensions such as .zip and .mov. By implementing CIRA DNS Firewall, organizations gain greater control over their network’s security, minimizing the risk of falling victim to phishing attempts and other malicious The ever-increasing pace of such cyber attacks is simply impossible to match through manual human effort from network security admins who need to constantly update their list of blocked URLs and phishing emails. In contrast, a service such as CIRA DNS Firewall harnesses the power of security threat feeds generated regularly by the likes of CanSSOC, the Canadian Centre for Cyber Security and Cybertip, using artificial intelligence (AI), machine learning and data analytics in order to automatically update the block-list w Roughly 100,000 new domains get added to this list every day. Thus, a technology like this greatly helps strengthen the overall defense of an organization against the latest emerging threats which manual human effort can simply not match up to.
Conclusion
As the internet continues to evolve, so do the threats that jeopardize online security. The risks associated with the misuse of TLDs, particularly those resembling common file extensions, demand responses. CIRA DNS Firewall presents a practical and efficient solution to this growing concern. By empowering users to block specific TLDs, such as .zip and .mov, CIRA DNS Firewall equips individuals and organizations with the tools needed to safeguard their networks against phishing attempts and other malicious activities. CIRA DNS Firewall can help give you an edge in the constant battle against cyber threats.
Looking to get started with protected DNS?
Learn more about CIRA’s protected DNS solution, DNS Firewall, here.
