147
What are these comments on lemmy posts?
(lemmy.sdf.org)
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
Looking for support?
Looking for a community?
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
The encoded string contains the URL
zelensky dot zip
. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer..Another reason to block this TLD in the firewall solution.
Yea I've got both
.zip
and.mov
blocked on my piholesorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? is there something special with .mov?
sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? why is this a reason to block it?
Because .zip is a commonly used file extension.
i think i understand that part but why is this specific event "another reason to block this TLD"? can’t they just use any TLD for this and achieve the same thing? is there another inherit security issue with .zip that doesn't exist with other domains?
They can and they do. Using a commonly known and used file extension to “hide” a malicious URL is just easier.
https://www.youtube.com/watch?v=GCVJsz7EODA
gotcha ok i think i’m getting it. just to make sure i’m not missing anything, you’re saying that in this case it didn’t matter as in the end they could use any TLD and achieve the same effect.
but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?
Curl didn't return anything. They're likely just using it to log requests since the request path contains the data they need.
Not just that, it looks for a
navAdmin
cookie in your browser and sends that tozelensky(dot)zip/save/<your cookie here>
in the form of a GET request.