Google’s New .Zip and .Mov TLDs Spark Phishing Fears by Experts

We are all familiar with websites that have suffixes such as .com, .net and .org. These suffixes are called top-level domains (TLDs) and as per the Internet Assigned Numbers Authority (IANA), there are nearly 1,500 different TLDs managed by various registries. Over the years, there has been an expansion in the list of TLDs with additions like .xyz, .io, .ai and more.

Though TLDs themselves are harmless, hackers and scammers often combine domain names and TLDs to create malicious websites and links. For example, there is nothing stopping a scammer from purchasing a domain name like ‘amazon12[.]net’ and using it to create a nefarious website or email addresses. 

TLD abuse is rampant in phishing campaigns where an email may appear to originate from an official email address but is actually sent from a copycat email ID, for example ‘order-update@amazon12[.]net’. These tactics work because when someone sees the name of a trusted brand in a URL or email address, they are more likely to click on links leading to malicious websites and files.

New ‘.Zip’ TLD Courts Controversy for Google 

In May 2023, Google Registry announced 8 new top-level domains, namely, .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus. Cybersecurity experts raised flags about two of these TLDs - .zip and .mov - for being easily exploitable by hackers, scammers and spammers.

The criticism stems from the fact that .Zip and .Mov are two of the most popular computer file format extensions. TLDs being identical to file extensions is an existing problem - .com is also an executable file format, the Polish extension .pl also represents Perl scripts and .sh represents both Saint Helena and Unix shell scripts. However, the ubiquity of .zip and .mov file formats makes these new TLDs a lot more potentially harmful. 

.Zip is the file extension for compressed file archives and .Mov is one of the most common video file extensions. These file types are often included in email attachments and therefore a cybercriminal could theoretically purchase a .zip domain with the same name as a commonly used filename, such as “report.zip“ and direct victims via email to a phishing site containing malware. 

The threat is magnified when messaging platforms and social media sites automatically convert file names with .zip and .mov extensions into URLs. In the below example of Twitter, sending someone instructions on opening a zip file and accessing a MOV file leads to the filenames being converted into URLs.

Source: BleepingComputer

.Zip TLD Already Being Used for Phishing Lures

Netcraft investigated existing .Zip TLD registrations and confirmed that there is already evidence of fraudulent activity. The investigation uncovered 5,000 registered domains using .zip and phishing attacks were discovered on five of these domains impersonating brands such as Google, Microsoft and Okta.

microsoft-office[.]zip initially displayed ‘This is not a microsoft page’ before being modified to resemble an actual Microsoft sign-in page an hour later.

Sign-in panels displayed on microsoft-office[.]zip (Source: Netcraft)

There are many domains registered which are likely to be bad faith registrations, including:

• Domains containing known brand names
• Domains that mention ‘installer’ or ‘update’
• Domains that mention banks by name, such as bankofamericasecurities[.]zip
• URLs such as ‘attachment[.]zip’ or ‘video[.]mov’ that can plausibly be included in emails where the victim expects to download a file, but is linked to the domain instead
  Domains that contained or redirected to a .zip file. At least two were zip bombs deployed to disable antivirus software.

Google responded to concerns regarding the .zip domain with the following statement.

"The risk of confusion between domain names and file names is not a new one.  For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.

At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip. Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users."

Though there have been calls to Google for revoking these new TLDs due to potential abuse, it looks like they are here to stay. Always check links carefully before clicking them and avoid clicking on links in emails and text messages.