Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> i love this example, having the domain automatically download a zip file that's the same name as the domain feels powerful

Did you and the GP just invent a new kind of phishing? Lmao. Go grab bitcoin-wallet.zip and start emailing people.

    Hi.  Here's the cold wallet with the $5 million you requested.  The password is 'password'.
Then 5 minutes later send a panicked looking email.

    Do NOT open the previous email.  It was sent to you by accident.  You are NOT authorized to view it.  DELETE IT NOW!
Haha.


It's worse than that. I'll send a legitimate email with an attachment named wallet.zip, and in the body say "download wallet.zip". Now the email client changes wallet.zip to a link. The email is not phishing. The <wallet.zip> site can be maliciously registered, knowing people will inadvertently mention "wallet.zip" in emails and may click the link.


Holy Carp! I didn't think about someone just registering all kinds of "normal" looking domain names: archive.zip, photos.zip, budget.zip, music.zip, etc.

Just register those domains and sit back and wait for people to come knocking on your door. It's a phishing dream!


This is why it's a stupid idea to automatically turn anything that doesn't start with a protocol specifier into a link.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: