JamieMay 17, 2023

The new ".zip" domain is being used almost solely for malware. Some of the clicks are very deceptive, even to technically knowledgeable people. See the attached image for an example.

You can block all zip domains with the following uBlock Origin rule under My Filters:

||zip^

Tell everyone you know.

Show threadbjb  May 17, 2023

@suprjami

The slashes in the path part of the first url look different than the slashes in the scheme and everywhere in the second url. So my guess is that the first url is the malicious one.

I would have missed it if I hadn't been looking for a difference though. Thanks for the info.

Show threadPaul Wilde  :dontpanic_nobg:Jun 8, 2023
@bjb @suprjami interesting view - you're right about which one's malicious but not right about why... sort of

the first URL has an @ symbol in it before the v1271[dot]zip. the @ symbol in a URL is actually a separater between user and URL (you could have "username:[email protected]") so the first one tries to log in as "https://github.com/....." at (@) v1271[dot]zip - so in actual fact the website you're going to is v1271[dot]zip, not github at all.

what you say about the slashes is interesting though, as whatever is styling the URL is almost helping highlight the problem. the correct link is completely a link, so all slashes are styled the the same, but the malicious link isn't completely a link so some slashes are styled differently to the actual link ones.

man this is hard to explain, I know you're fairly techy so I skipped some explanation, but try explaining that to a regular person!

Edit: removed dots in URLs to prevent unintended visits.
also sorry, didn't realise this comment was a month old... you probably know all this by now
Show threadSören
@paul @bjb @suprjami the fake slashes are critical to the attack. They become part of the basic auth user name. If they were real slashes, the browser would treat them as part of the path.
Jun 21, 2023 at 2:36amWeb
Show threadPaul Wilde  :dontpanic_nobg:Jun 21, 2023
@chucker @bjb @suprjami interesting and a really good point! I hadn't considered that.

Imagine trying to explain that to somebody who had just downloaded the malware though!