New Top-Level Domains, .Zip and .Mov; Geacon Malware; and Google to Delete Dormant Accounts – Intego Mac Podcast Episode 292
New top-level domains use common file extensions, and this could lead to confusion, and dangerous downloads. Apple announces a new personal voice modeling feature. And Google warns dormant users: log in, or get shut out.
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, May 18 2023.
This week’s Intego Mac Podcast security headlines include: how new domain names could be confused or abused with popular filename extensions. Apple presents new accessibility features ahead of its WWDC including “Personal Voice”, a personal voice-modeling feature. Google announces plans to deal with inactive Gmail accounts, time to check if all yours meet their usage requirements. And Apple reports on its efforts to reduce fraudulent transactions on the App Store. Now, here are the hosts of the Intego Mac Podcast, veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh Long.
Kirk McElhearn 0:53
Good morning, Josh, how are you today?
Josh Long 0:54
I’m doing well. How are you, Kirk?
Kirk McElhearn 0:56
I’m doing just fine. I’ve got a riddle for you today. Do you know what dot zip and dot move are?
Josh Long 1:02
Well, yeah, if you had asked me, let’s say a week ago, I would have told you that those are filename extensions that are pretty common. Dot zip, of course, is ZIP archives, which is a compressed archive of a file or folder. And then dot MOV is typically associated with movie files, particularly QuickTime movies on the Mac.
Kirk McElhearn 1:22
Exactly. But that’s not the only way they use anymore, is it?
Josh Long 1:26
No. So there’s this thing that happened back in 2014, the dot zip and dot mov top level domains, these are called TLDs, got registered. And that means that from that point forward, Google and you know, limited partners of Google, were able to use those domains. So for example, if they wanted to have Google dot zip, or Google dot mov, they would be able to do that. What happened this week is that Google has now made dot zip and dot mov available for everybody in the whole world, whoever wants to can now register those domains. And why is this a problem? Well, if you happen to use an email program, or maybe a social network, and you type something dot zip or something dot mov when you’re explaining to somebody about some file name, now, your email app or your social network might automatically turn that into a link, which could go to a site that may potentially have been registered by some malicious person who’s trying to get malware out there, who’s trying to get phishing attacks out there. So this is kind of a problem.
Kirk McElhearn 2:41
So you’re saying that the person who registered “archive.zip” back in 2014, that domain could potentially be used for malware, because when you compress more than one file in the MacOS finder, it saves it as “archive.zip”. That’s the standard name. And if you want to change it to something easier to remember, you do that. But the default name is archive dot zip. And if you drag a file like that into Messages, and let’s say the person you’re sending it to, isn’t on a Mac, right? So they’ve not got the, what do they have, they have the green bubble, not the blue one, they’ll see a link “archive.zip” rather than a link to a file. And that might take them to the website, archive.zip,
Josh Long 3:23
Exactly. Well, now 2014, if it was registered back then it wasn’t available to the general public at that point in time. (Kirk: Fair point.) If you go to archive dot zip in a browser right now, it’ll just tell you its under development, so somebody had an idea to use this domain, but they’ve never used it. Now, there are also a lot of domains that have been registered in the past week such as “financialstatement.zip”. Kirk sent this one over to me, it’s kind of funny, because if you go to “financialstatement.zip” in your browser, it will say across the top, “The dot zip TLD sucks! And it needs to be immediately revoked”, with a rant by the person who registered this domain about why this is a terrible idea.
Kirk McElhearn 4:08
Well, it’s not even an expensive domain, you can get theJoshMeister dot zip for 14 pounds. I’m looking at UK prices. It’s probably 17.99. In the US. I looked up one of these domains the other day, and it was like $2,500. I don’t remember which, I think it was “kirk.esq” because that’s another a new top level domain that Google has freed to the public. .dad, .esq, .prof, .PhD, .nexus, .foo, and of course, .zip and .mov.
Josh Long 4:35
I’ve seen people complain about dot foo as well, because people have often used this as sort of a placeholder, you know, a joke, this is never going to be a real domain kind of thing. I saw a professor talking about how they used to use kung dot foo in examples. Now well, they can’t use those anymore.
Kirk McElhearn 4:54
Well, if you go to kung dot foo, you get an animated image of Bruce Lee and a little subtitle, “High intensity coding challenges soon.” So someone’s having fun with these things. I thought of esq, because it’s “esquire”. That’s such a cool thing to have after your name. But the point we wanted to make though, is be careful. If you see file name with a dot zip, and you click on it, then this could be worrisome. Zip file should never open in a browser. If a zip file was expanded, the file will if it’s an HTML file, you’ll see the HTML file in the Finder. But the file won’t open itself.
Josh Long 5:29
And be very careful. Some of these domains have already or at least one for sure, I saw a screenshot of a Microsoft phishing site that was hosted at one of these dot zip domains. So be very, very careful about that.
Kirk McElhearn 5:42
We’ve got a brief warning about a macOS vulnerability with the Telegram messaging app. Josh, explain what TCC is.
Josh Long 5:51
TCC stands for transparency, consent and control. And this is a thing in macOS that limits applications’ ability to be able to do certain things like use your camera, use your microphone, record the screen, and things like that.
Kirk McElhearn 6:07
So these are the things that we have to click OK to 17 times when we install an app that’s going to use files on the Mac, you can access your downloads folder can access your photos, it can access your camera, etc. These are all these new security reports we’ve had in the past couple of years, right?
Josh Long 6:24
There’s a vulnerability in the current version of Telegram for the Mac App Store that allows for the TCC controls to be bypassed. Which basically means that if somebody knows how to exploit this vulnerability, and now the details are out there, they could potentially use your camera, they could potentially record your screen, they could potentially use your microphone and other things that TCC is supposed to prevent apps from being able to do without your permission.
Kirk McElhearn 6:54
We’re doing this chat over zoom, and I can see you but when we’re not on Zoom, do you put duct tape over your camera on your Mac?
Josh Long 7:02
I do have two cameras because I have an external display. And I keep the one on the external display covered up at all times because I just don’t use it. The one built into my Mac though I do enough video conferencing that I don’t usually keep that one covered. But thankfully, the Mac now does have a little light that shows up next to the camera on all recent Mac models. As a matter of fact, Apple’s even been doing that a long time on the Mac, it took them a very long time to finally get to this on iOS and iPadOS where it’s a software thing. It’s not actually hardware, a light that actually lights up.
Kirk McElhearn 7:36
And it’s a little red dot, which isn’t easy to see against the black background. On Macs, it’s green, and it’s quite bright. I’m seeing the one on my iMac. It’s piercing. On the iPhone, it’s not.
Josh Long 7:46
So the main thing to know about this is if you do use Telegram on macOS, just be aware that if you got it from Mac App Store, it currently has this vulnerability. Hopefully this will be fixed in an upcoming version. If you really need to use Telegram on macOS I have heard that the non Mac App Store version doesn’t have this problem.
Kirk McElhearn 8:04
Apple has announced some new accessibility features. Now the reason they announced it by press release is obviously the Worldwide Developer Conference, which opens in two weeks, is going to have so much new stuff that they won’t have time to present it. And anyway, this isn’t really the stuff they present on the main stage. These features cover a lot of different things they say coming later this year. So this is with the new operating system. But there’s one thing we want to talk about in particular, it’s called “Personal Voice”. And it’s designed as Apple says, for people at risk of losing their ability to speak such as those with a recent diagnosis of ALS or other conditions that can progressively impact speaking ability. You spend about 15 minutes reading randomized text prompts to your iPhone or your iPad. And the device creates a model of your voice. Now there are many online services where you can upload a minute of audio and create a voice model. And I’ll link to an episode where we did this. And I created a voice model of Josh and had him read the part of the Gettysburg Address. What’s different here is this is all done on the phone. And I don’t think you’ll be able to like, say read this article in my voice, I think you’re going to be typing into something, and it’s going to convert it on the fly and send it so let’s say maybe you’re making a phone call or you’re sending an audio text message or messages.
Josh Long 9:19
Right, exactly. Apple has indicated that this this feature is specifically to be used for that purpose. It’s an accessibility feature. And so if you train it now, or well in the near future when this feature becomes available, and then at some point later you lose your voice, you’ll be able to use your phone to respond for you in your own voice. Of course, we were trying to think is this potential problem, right? What are ways that hackers could potentially use this against you? The best thing that we could come up with was just like Kirk just talked about where he had a bot read the Gettysburg address in my voice sort of in my voice can just use a couple of quick samples and gave it to 11 labs and they quickly produce this output. If you were to pay a little more or use like a fancier version of the service, right, a more sophisticated version of the service like this, you could get some pretty good, pretty accurate outputs. So I imagine what you could do is if you’re able to quickly get a response back from a site like this, you could train your Apple device using someone else’s voice. And that’s where things like this could get kind of interesting, because imagine that you are, I don’t know you’re doing anything malicious. Recently, in the news, there was a story about how somebody was using artificial intelligence to reproduce the voice of a child. And they tricked the parent into thinking that the child had actually been kidnapped. Imagine, like how bad guys could use this technology that’s now going to be built into every Apple device to do the very same thing. That’s a pretty big problem.
Kirk McElhearn 11:03
Well, it’s a lot of work. Apple has a screenshot on their press release, showing the first phrase that you read to start training this and it is number one of 150.
Josh Long 11:12
Right? It’s these do say it takes, it takes 15 minutes to train it. And I think they said that it’s sort of randomly generated, I’m sure it’s not completely random, they probably have certain words that they frequently will ask you, because depending on your accent, you might pronounce it a little bit differently. They’re putting a little bit of a barrier to entry here. But for somebody who has their voice out in public, if you have a podcast or if you’re any kind of public figure, I imagine that there’s going to be a lot of people imitating your voice pretty soon using their Apple devices.
Kirk McElhearn 11:43
Speaking of AI, Steve Wozniak is back in the news. He’s saying that AI cannot be stopped and we must prepare for more convincing scams. And this is it. All of these things that can imitate someone someone’s voice, someone’s mannerisms and deep fake videos, write convincing phishing emails. And you know, we know that most phishing emails have poor grammar. This is going to be a big problem. We’ve been talking about this a lot. And I think this is something when a follow up. I don’t know that was particularly well placed to talk about this. I mean, he’s been retired since what for 40 years or something. You know, he’s been out of Apple for a long time, he’s just been bouncing around on his own. I don’t know how much he does with AI. But he is a well known name. And I think it’s important to pay attention this and we’ll be back to this in the future as more of these AI scams come around. In the meantime, this is not an AI voice reading an ad for Intego software, so we’ll be right back after the break.
Voice Over 12:40
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
Kirk McElhearn 13:55
In this week’s malware we have an open source Cobalt Strike port called “Geacon”. Geacon used in macOS attacks. Is it a hard G or a soft g Josh?
Josh Long 14:06
I’m going to assume that this is probably to be pronounced Geacon [geek´-un] because it’s a Go language based beacon. So I’m gonna I’m gonna say Geacon [geek´-un].
Kirk McElhearn 14:17
Okay, and so what is Cobalt Strike that was ported to make Geacon?
Josh Long 14:20
Cobalt Strike I think we’ve mentioned it before on the podcast. This is a commercial tool that is often abused by the bad guys.
Kirk McElhearn 14:30
Naughty bad guys.
Josh Long 14:31
The Cobalt Strike website cobaltstrike.com explains that it’s an adversary simulation and red teaming app. So let’s say you’re a penetration tester or you work for the red team that which is the adversary simulation, you know, like let’s play through some scenarios and see what bad things we could do so that we can know how to properly defend on the other end right. But the problem is the bad guys frequently will use pirated versions of Cobalt Strike and include it with malware. So they have their command and control domain. And now they’re using Cobalt Strike as malware to phone home and give them information and you know, exfiltrate data and all those sorts of things.
Kirk McElhearn 15:14
So the usual malware.
Josh Long 15:17
Right. Well, this is what a lot of malware does. And you can imagine, you know, it kind of makes sense, I guess, to a lot of bad guys to just pirate Cobalt Strike. Well, of course, at the same time, a lot of antivirus software will now detect Cobalt Strike as being a potential red flag, right? We know it can be used legitimately. But very often, when you’re seeing this on somebody’s computer, it’s probably not there legitimately. It’s probably being used by malware. Geacon is this Go-based implementation of the beacon from Cobalt Strike, so they made their own version of it. And interestingly, it’s being used more often to target macOS devices. Now, there were some headlines about this. And so Geacon is a thing that’s out there. It’s it’s just something to be aware of, it’s not necessarily something you need to be super concerned about. It’s going to be bundled into other malware. That’s kind of the the the thing to be aware of with this.
Kirk McElhearn 16:13
I see that it’s a freemium model. There are two versions Geacon Plus, which is free and publicly available, and Geacon Pro, which is a private paid version, so you can download Geacon Plus to try it out. And then if you want to upgrade to Geacon Pro, you can use that.
Josh Long 16:27
Yeah. So again, it could have legitimate uses, but it’s also very likely that we’re going to see more of this in malware in the wild.
Kirk McElhearn 16:35
Okay, we’ve got a few Google stories this week. Google has announced that they are, quote, “updating our inactive account policies.” I never knew they had inactive account policies. Google is basically saying, if you haven’t logged into your Google account in two years, they may delete it. They’re not saying definitely gonna delete it. I don’t recall that Google’s ever done this before. And if you think how long Google has been around, and how many people have had throwaway Gmail accounts, and how many billions of Google accounts there are, I guess this is just, as our producer, Doug, said earlier, you haven’t cleaned up the garage since you moved into your house. Now you’re going to do it every year. And it kind of sounds like that, that they’re going to sweep out all the old stuff, and then maybe going forward, every now and then they’ll look at everything that’s older than two years.
Josh Long 17:20
Well, first of all, I should say the timing on this is impeccable, because it was only like a week or two ago that Elon Musk controversially tweeted that Twitter’s policy now is going to be that they’re going to start getting rid of old accounts to free up usernames for people. And it’s like, well, whoa, hold on a sec, because there’s a lot of public figures and even not public figures, you know, people passed away and those accounts should be treated like special legacy accounts, right. At least in certain cases, it might make sense to do that. People have very sentimental reasons to be attached to to some of these old accounts that are no longer being used. Well, now Google is kind of doing something similar to that. And then apparently, they didn’t take the clues from all the backlash against Elon Musk for this change in Twitter policy. I don’t understand why Google is doing this. But one of the concerning things is they don’t say in this blog posts, or at least not any, in any way, that’s clear to me that what they’re going to do is make sure that these email addresses, for example, are closed permanently and never going to be reissued. They don’t say that. And that’s a real problem, because as we’ve mentioned before, on the podcast, if you, for example, work for a company, let’s say that I worked for X company, and my email address was Jay long at x company.edu. And by the way, I always intentionally use.edu Whenever I’m talking about a hypothetical company, because edu is a real thing. And it only can be registered by actual education organizations. And nobody’s ever going to register an edu domain like that. So J long and x company.edu. Now, let’s say that I don’t work for that company anymore. And a few years later, they hire somebody named Jane long, and they want to reissue J long at x company.edu. And that might seem okay. Except the problem is that if people are still trying to send emails to J long at x company.edu, then now Jane is going to start getting emails that were intended for me. Okay, so let’s bring this back to what Google is doing. Google is saying that they’re not doing this for enterprise, an organization that domains that are set up with Google. So if you are a company that is using Gmail as your back end for your email, they’re not going to be getting rid of your accounts, no matter how old they are, you can choose you know, whether you want to reuse them and all that kind of stuff. But they aren’t going to do this for personal accounts they say. So whatever your Gmail address is@gmail.com Imagine that you know, you I have, again a relative who passes away. And now obviously, nobody’s been logging into that account unless you log in on their behalf to check and see whether you know, somebody is sending, trying to send your deceased relative a message. But if you don’t have access to that, then now Google could potentially just shut down that account. And completely, you know, remove it. That’s also potentially problematic because of things like Google Drive, you know, there are docs that are owned by a particular account that might be shared with yours. And so you might continue to have access to it. But once Google cuts off that account and removes that account, now, those docs might go away forever.
Kirk McElhearn 20:40
One thing that Google mentions in their blog post is that abandoned accounts are at least 10 times less likely than active accounts to have two step verification set up. So these accounts are more vulnerable to being hacked and being used for spam, identity theft, etc. So I think it’s a good thing that Google is doing this, because they’re going to warn people, they’re going to send them emails, if you want to keep your account active, just sign in at least once every two years. Is that too much to ask to have a free Google account?
Josh Long 21:05
So I’m going to play the devil’s advocate here. And I’m going to say yes, that is too much to ask, because some people may not necessarily log into their account, per se, in that way, right? Every, every couple of years, they may have an account setup that they only use on rare occasions. And they may not realize that they’re just going to lose everything, because they haven’t logged into it for a while. So this is where it’s kind of a gray area, right? It’s kind of problematic.
Kirk McElhearn 21:33
But they’re still going to send people emails, multiple emails, to remind them to log in to say, download your stuff.
Josh Long 21:39
Okay, so what is Google’s goal? What are they actually trying to get out of this? Are they just trying to prevent people from hacking into old accounts that don’t have two factor authentication?
Kirk McElhearn 21:48
I think that’s part of it, it makes their security a little bit lighter. And maybe they’re trying to get rid of some old archives that are in the cold cold archive storage to free up some data centers. Maybe it’s just having less cruft. It’s like clean out your garage, right?
Josh Long 22:02
I guess. I don’t know. I mean, Google doesn’t really explicitly say they kind of open this blog post with old accounts typically don’t have two factor authentication, but it’s like what So are you going to just start attacking other people’s accounts? Who doesn’t who don’t have two factor authentication, you’re going to take away everyone’s account unless they use two FA? I mean, why not?
Kirk McElhearn 22:25
Well, they could require two factor authentication Apple does. Now if you want to use a lot of their services. That’s one thing.
Josh Long 22:31
And maybe that doesn’t make sense, at least in certain circumstances. I have seen some people make the argument recently that, well, let’s say that you’re a child, you don’t have a physical device that is associated with you, you don’t have a phone number necessarily. And you may not have your own personal device, like you have an old iPhone, so you may not have a physical device that you can always have on you that you can use for two factor authentication. You know, not everybody is also going to carry around a YubiKey, or something like that on your on your keychain, not to mention that it can get damaged, and then you’re really in trouble. It makes me a little uncomfortable. I kind of get it. But at least now we’re letting our audience know. So you can be aware, if you haven’t logged into a Gmail account, once in the past two years, you better do it soon. And you better make a calendar event or something to remind you to do it every so often.
Kirk McElhearn 23:24
Okay, Google is also dropping the padlock icon from the URL box on Google Chrome. Why would they do this, they say that it may actually be helping hackers fish information from their victims,
Josh Long 23:36
I know that there are a lot of people who are upset about the padlock going away. But according to Google’s testing there, they’re seeing that most people kind of mistakenly assume that when they see the padlock, that means something beyond what it actually means it what it actually means is there is a secure connection between your browser and this website, whatever this website might actually be. And so almost all phishing sites actually use HTTPS now. And so they all get that little padlock that reassures people and gives them a false sense of security. So it doesn’t really matter that you have a secure connection to a phishing site, because now bad guys are going to get your information. So it’s misleading. And now that almost all sites on the web are using HTTPS anyway. It really, in Google’s opinion, does not make sense to keep that padlock there, especially when people are still confused about the meaning of that padlock.
Kirk McElhearn 24:36
So in Safari, when you click the padlock, you see a little dialog, it says safaris using an encrypted connection to et cetera. It explains what it is. It’s true that it could give more information. It talks about keeping information private, but it doesn’t say anything about malware. And maybe that dialog could be a bit more explicit.
Josh Long 24:55
Yeah, I know this is controversial. I know a lot of people are upset about the padlock going away but I don’t think this is a terrible idea, especially because of that misconception about what it does now what they’re replacing it with is a different icon that kind of looks like a Settings or Options button. And that’s basically what it does is it’ll give you some more information so you can tweak the things the site is able to do. It kind of makes sense. It’s a little bit awkward, right? It’s going to take a little bit of getting used to. And I’m really curious to see how soon or whether other browsers are going to adopt this. Like I assume that anything that’s Chromium based, are really going to likely do the same thing. Safari and Firefox, I don’t know, we’ll have to see what they decide to do on this.
Kirk McElhearn 25:39
Okay, very quickly, we want to talk about an Apple press release that says that the App Store stopped more than $2 billion in fraudulent transaction In 2022. Apple deleted 428,000 developer accounts and 282 million customer accounts for fraud and abuse last year now, Apple deleted 802,000 developer accounts in the previous year. So that number is down, thanks, in part, as Apple says to new methods and protocols that allow the App Store to prevent the creation of potentially fraudulent accounts. That sounds like there must have been a way to use bots to create accounts. 282 million customer accounts that’s really interesting. I don’t know why you would create a fraudulent customer account.
Josh Long 26:21
Well, on the customer accounts, they do specifically say that those customer accounts were removed for fraud and abuse. They’re not really specific about that. But fraudulent and abusive activity is how they also word it. Probably what that means is like App Store reviews that are fake, it could mean other things, too, I suppose. But that’s probably the biggest one. Now getting back to that 428,000 developer accounts. Kirk, you pointed out before we started recording that, that’s theoretically $42.8 million.
Kirk McElhearn 26:50
Yeah, $100 per developer account. So that pays for a lot of people working on the App Store.
Josh Long 26:56
Yeah, so that’s kind of crazy. Now I imagine a lot of those could have been registered with stolen credit card numbers or different things like that. I’m glad that Apple is taking steps in the direction of making it harder to create a fraudulent developer account, because it should hopefully at least somewhat reduce the amount of malicious apps that we’re seeing in both in the App Store and also outside of the App Store.
Kirk McElhearn 27:22
But we don’t know how many of these developer accounts were deleted because they were trying to upload apps or maybe they were just downloading beta versions of Apple software and sharing them with other people.
Josh Long 27:33
Could be. Yeah, and of course, this really doesn’t solve all the problems, right? We still know that there are a lot of scammy apps in the Mac App Store, as we talked about recently. And somehow this stuff tends to still get past Apple’s review process. I had no idea how that’s possible. But it does. And so, yes, this is good. I’m glad Apple’s taking steps in this direction, but it doesn’t shut down all of the problems that they have.
Kirk McElhearn 28:00
And of course, Apple is releasing this information because of the pressure on them to allow third party app stores on iOS, which we know is going to go through in the European Union sometime soon. So they’re trying to show how much better the App Store is, and maybe point out the kind of risk that we have from third party app stores. But we’ll see. You know, the proof is in the pudding as they say. Until next week, Josh, stay secure.
Josh Long 28:22
All right, stay secure.
Voice Over 28:25
Thanks for listening to the Intego Mac podcast, the voice of Mac security, with your hosts, Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple Podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode at podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software: intego.com.
If you like the Intego Mac Podcast podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.