Are they just an issue with wefwef or trying to use an exploit

  • @[email protected]
    link
    fedilink
    English
    71 year ago

    The encoded string contains the URL zelensky dot zip. Zip is one of the newer top-level domains. It itself is not a zip file, but I am not going to visit that site to find out whatever treasures it has to offer…

        • @[email protected]
          link
          fedilink
          -131 year ago

          sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? is there something special with .mov?

          • @[email protected]
            link
            fedilink
            41 year ago

            It’s because it can cause confusion. The only difference between example.com/file.zip and example.com.file.zip is one uses a . and the other a / but both are valid domains. If somebody isn’t paying much attention or they don’t know much about domain names, they could click thinking to get a zip file from a legitimate site and end up going somewhere malicious instead. No other TLDs have this issue (well, I guess .com technically has it but who the hell is downloading and running com files these days) and they’re pretty much exclusively used for this reason so it’s a good idea to block them just to be safe.

            • @assa123
              link
              21 year ago

              sorry, I didn’t saw your answer and also replied! I didn’t remember that (.)COM was also a file extension, but now, thanks to your reminder, I will play some DOS games ;)

          • @assa123
            link
            21 year ago

            since .zip and .mov are recognizable file extensions, a url of the form google.com.docs.zelensky.zip could make people think that the domain is google.com pointing to a zip instead of the true domain, zelensky (dot) zip which probably would serve malicious content under that subdomain.

      • @[email protected]
        link
        fedilink
        -14
        edit-2
        1 year ago

        sorry i’m missing it. why this specific TLD? can’t they just use any TLD for this and achieve the same thing? why is this a reason to block it?

          • @[email protected]
            link
            fedilink
            -141 year ago

            i think i understand that part but why is this specific event “another reason to block this TLD”? can’t they just use any TLD for this and achieve the same thing? is there another inherit security issue with .zip that doesn’t exist with other domains?

              • @[email protected]
                link
                fedilink
                -131 year ago

                gotcha ok i think i’m getting it. just to make sure i’m not missing anything, you’re saying that in this case it didn’t matter as in the end they could use any TLD and achieve the same effect.

                but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?

                • 𝘋𝘪𝘳𝘬
                  link
                  fedilink
                  21 year ago

                  but in general, threat actors hope to confuse people into thinking this “.zip” TLDs are only referencing local files instead of web addresses. right?

                  Exactly!

    • 𝙚𝙧𝙧𝙚
      link
      fedilink
      English
      21 year ago

      Curl didn’t return anything. They’re likely just using it to log requests since the request path contains the data they need.

    • Gellis12
      link
      fedilink
      11 year ago

      Not just that, it looks for a navAdmin cookie in your browser and sends that to zelensky(dot)zip/save/<your cookie here> in the form of a GET request.