The potential danger of the new Google .zip top-level domain
How much should the average end user be concerned about the new .zip and .mov TLDs? They aren't as bad as some make them out to be, but it's still worth doing something about them.
The release of two new top-level domains has sparked controversy among members of the infosec community worried about how the TLDs could be used by malicious actors.
On May 3, Google Registry announced the general availability of several new TLDs, including .dad, .nexus, .zip and .mov. The latter two were immediately flagged as potential cybersecurity issues by infosec practitioners because they're common file extensions, though others in the industry aren't quite sure what the big deal is.
Let's look at the announcement and what it means for users, as well as if there is cause for concern.
Why .zip is a bad idea
The Internet Corporation for Assigned Names and Numbers (ICANN) governs TLDs but delegates some authority to specific organizations, Google being one of them. The ICAAN program allows brands to register their own trademark as a generic TLD (gTLD), such as .google. Google applied for dozens of gTLDs in 2014, with .zip being one of them. As of May 17, 2023, 5,000 .zip domains had already been registered. Some infosec researchers bought these domains to educate end users or to sit on potentially popular URLs. One example is bank-statement[.]zip, which warns users about the dangers of the .zip TLD.
Since Google's announcement, many infosec pros voiced concern that the TLDs could be used to trick end users into visiting malicious websites. Sites, messaging platforms and other applications can now automatically convert file names with .zip into URLs, which could lead to users clicking them and visiting phishing sites that infect them with malware.
For example, malicious actors could send phishing emails with an attachment that says, "I've attached pictures[.]zip." Recipients could click the automatically created link thinking they would be downloading the file via the link and not being sent to a website. Alternatively, because recipients believe the link was sent by someone they trust, they may go to the URL and be infected by malware -- provided an attacker is squatting on the domain.
There are already suspicious .zip websites online. Threat intelligence vendor Silent Push Labs discovered two potential phishing .zip TLDs designed to look like Microsoft Office sign-in pages.
Potential @Microsoft phishing page abusing the new .zip top-level domain— Silent Push Labs (@silentpush_labs) May 13, 2023
Hosted on 151.80.119[.]120 → AS16276 @as16276
Phishing for credentials is a major concern, but Ines Vestia, senior threat analyst at Silent Push Labs, said the bigger worry is malware.
"I wouldn't see credential phishing as the main threat," Vestia said. "I would definitely see the main threat being malware downloads. That's why .zip is problematic. It is associated with large files that have been compressed. If the threat actor combines this with popular software download naming conventions, the results will be quite devastating."
But not everyone is worried that end users will click on .zip URLs. Given that .zip is generally for file downloads, which are already a malware concern, smarter end users may not click those URLs without researching to determine if they're safe. Additionally, it's not the first time a file extension TLD was released -- remember .com is an executable file used in MS-DOS and Windows.
Eric Lawrence, principal software engineer at Microsoft, wrote in his blog that squatting on URLs such as VacationPhotos[.]zip and hoping someone sends emails mentioning the file extension isn't very exciting as an attack vector.
"I remain unconvinced that normal humans type file name extensions in most forms of communication," Lawrence wrote. Still, he conceded that it might be best not to automatically hyperlink .zip TLDs to reduce the chances of this attack vector.
Google explained the addition of .zip and the other new TLDs:
The risk of confusion between domain names and file names is not a new one. For example, 3M's Command products use the domain name command.com, which is also an important program on MS-DOS and early versions of Windows. Applications have mitigations for this, such as Google Safe Browsing, and these mitigations will hold true for TLDs such as .zip. At the same time, new namespaces provide expanded opportunities for naming, such as community.zip and url.zip. Google takes phishing and malware seriously, and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs, and if new threats emerge, we will take appropriate action to protect users.
How to mitigate malicious TLD attacks
Given that .zip and .mov TLDs only recently became available, now is the time for organizations and security teams to decide how to handle them and any threats they pose.
As with any potentially malicious TLD, the easiest way to prevent issues is to block suspicious domains from resolving. This can be done in a few ways. Security teams could create a Windows Firewall policy to block .zip and any other TLDs the organization doesn't use. Another method is to use Name Resolution Policy Table rules in Windows Server 2012. Specific TLDs can also be blocked in Outlook via the blocked senders setting.
Blocking .zip and .mov has largely been recommended by many in the infosec community -- for now. Johannes Ullrich, dean of research at SANS Technology Institute, wrote, "Given the low 'real world' usage of .zip domains, it may be best to block access to them until it is clear if it will be useful."