INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
The .zip gTLD: Risks and Opportunities
Published: 2023-05-12
Last Updated: 2023-05-12 20:35:34 UTC
by Johannes Ullrich (Version: 1)
About ten years ago, ICANN started the "gTLD" program. "Generic TLDs" allows various brands to register their own trademark as a TLD. Instead of "google.com", you now can have ".google"! Applying for a gTLD isn't cheap, and success isn't guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used.
The reputation of these new gTLDs has been somewhat mixed. On one end, several very cheap TLDs emerged from the process that are often abused. For example, .xyz or .top are often used for cheap "throw-away" domains. But we also had some large companies, for example, Google, use it (try: domains.google). Google submitted applications for several different gTLDs.
One of the more interesting gTLDs Google obtained is ".zip". This gTLD was approved in 2014, and has not seen much use since then. The current zone file for ".zip" contains only 1230 names. To access the zone files for many of the gTLDs, ICANN operates the "Centralized Zone Data Service" at czds.icann.org.
So what is the danger here?
Read the complete entry:
https://isc.sans.edu/diary/The+zip+gTLD+Risks+and+Opportunities/29838/
Ongoing Facebook phishing campaign without a sender and (almost) without links
Published: 2023-05-15
Last Updated: 2023-05-15 07:25:31 UTC
by Jan Kopriva (Version: 1)
At the Internet Storm Center, we often receive examples of current malspam and phishing e-mails from our readers. Most of them are fairly uninteresting, but some turn out to be notable for one reason or another. This was the case with several messages that Charlie, one of our readers, has submitted to us since the beginning of 2023.
At first glance, the messages appear to be fairly straightforward Facebook phishing e-mails. The HTML body of each message appears to always be the same – it states that a user just logged into the recipient’s Facebook account from a new device and requests that the recipient verifies whether the login was legitimate.
The overall layout of the message seems to mirror legitimate e-mails from Facebook (actually, it seems clear that the author of the phishing message began its development by copying a legitimate message and modifying it, but we’ll get to that later).
Read the complete entry:
Increase in Malicious RAR SFX files
Published: 2023-05-17
Last Updated: 2023-05-17 04:19:08 UTC
by Xavier Mertens (Version: 1)
This isn't a new attack vector, but I’ve found many malicious RAR SFX files in the wild for a few weeks. An “SFX” file is a self-extracting archive that contains compressed files and is wrapped up with some executable code to decompress them on the fly. The final user receives an executable file (PE file) that can be launched with the need to install a specific tool to decompress the content. This technique has been used for a while by attackers, and even more interesting, the self-decompression routine can launch any executable (another executable, a script, …)
Most of the time, these files aren’t detected as a known threat because payloads (the files) are compressed (sometimes encrypted too - if a password is used). But they are generally detected as “suspicious”. I wrote a simple YARA rule to detect such files...
Read the complete entry:
https://isc.sans.edu/diary/Increase+in+Malicious+RAR+SFX+files/29852/