Beware the Sneaky Zipper! How a Tiny Trick in Your URL Can Unzip Trouble

IT Security, Small Business, Useful Information / By /

Imagine you receive an email with a link that appears to be from a legitimate source, like Google Drive. The link might say something like “documents.google.com[.]zip” – notice the extra dot and “zip” at the end. This seemingly minor addition is what makes it dangerous. .zip was recently added as a new domain which means that people can now make websites that end in .zip instead of the more common .com or .co.uk.

Here’s the trick: all browsers treat everything after the first dot as part of the website address. Attackers exploit this by using the .zip top level domain along with special characters that are invisible to the naked eye. So, when you click the link, what appears to be “documents.google.com” might actually be directing you to a completely different website designed to look like Google Drive.

How it steals your information

Once you land on this fake website, you might be prompted to log in with your Google account or download a file. If you enter your credentials, they’re stolen by the attacker. Similarly, downloading the file could install malware on your device, putting your personal information and data at risk.

This vulnerability works by exploiting one way that you can log into a website using the URL. This is done through using the Unicode character U+2044 (⁄), whilst this may look very similar to a normal forward slash (/) you can see they are slightly different. Where the normal forward slash works to show a sub-page of the website the U+2044 character works by telling the browser to ignore anything before the character. This allows the perpetrator to then tell the website to go straight to the malicious zip file whilst still looking like a legitimate website URL.

How can you protect yourself?

Below are some recommendations for keeping safe when dealing with suspicious or unfamiliar links, these checks could help save you from downloading malware:

  • Check the full URL: Don’t rely solely on what you see at the beginning of the address bar. Look for the entire URL and any @ symbols or extensions like “.zip” that shouldn’t be there.
  • Be wary of unsolicited Emails: Don’t click on links in emails unless you’re confident about the legitimacy of the request.

By staying alert and understanding how these deceptive tactics work, you can significantly reduce the risk of falling victim to a .zip TLD phishing attack.

For Further Information or advice, please contact the Magikos IT Team or fill in the form below and we will contact you.

Tel: 01344 204019
Email: info@magikos.co.uk