this post was submitted on 10 Jul 2023
135 points (97.2% liked)
Asklemmy
43817 readers
922 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The encoded string contains the URL
zelensky dot zip
. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer..Another reason to block this TLD in the firewall solution.
Yea I've got both
.zip
and.mov
blocked on my piholesorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? is there something special with .mov?
sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? why is this a reason to block it?
Because .zip is a commonly used file extension.
i think i understand that part but why is this specific event "another reason to block this TLD"? can’t they just use any TLD for this and achieve the same thing? is there another inherit security issue with .zip that doesn't exist with other domains?
They can and they do. Using a commonly known and used file extension to “hide” a malicious URL is just easier.
https://www.youtube.com/watch?v=GCVJsz7EODA
Here is an alternative Piped link(s): https://piped.video/watch?v=GCVJsz7EODA
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.
gotcha ok i think i’m getting it. just to make sure i’m not missing anything, you’re saying that in this case it didn’t matter as in the end they could use any TLD and achieve the same effect.
but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?
Exactly!
Curl didn't return anything. They're likely just using it to log requests since the request path contains the data they need.
Not just that, it looks for a
navAdmin
cookie in your browser and sends that tozelensky(dot)zip/save/<your cookie here>
in the form of a GET request.