If you’re a security expert you may have seen an increase in phishing attacks coming from the .ZIP TLD. Last month, Google introduced eight new top-level domains (TLD) that could be purchased through Google Domains and ICANN Accredited Registrars.
The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.
Why are Cybersecurity Experts Concerned?
While being created in the 2014, the .zip and .mov top-level domains (TLDs) have become generally available, allowing anyone to purchase a domain with these extensions. These extensions are also commonly used for file types, and some messaging platforms and social media sites will automatically convert file names with these extensions into URLs.
Many organisations and cybersecurity firms have expressed concern:
Shame on @google, and if they had any trace remembrance of the idea of shame before profit, they would stop registering new .zip domains. I may sound like a ghoul but maybe you do not understand the fundamental undermining this seemingly simple incursion has on user expectation. – @SwiftOnSecurity
A significant amount of software automatically converts parts of text that appear to be URLs (even without an explicit protocol) into clickable links. These include mail clients, messengers, internet forums, social media sites, CMS systems, text editors, etc.
Until recently, these applications would not convert text that ended in .zip into a link, because .zip was not a valid top-level domain (TLD). However, .zip is now a valid TLD, so these applications will now convert text that ends in .zip into a link. This means that it is now possible for an attacker to register a domain name that is the same as a common file name, such as documents-backup.zip. The attacker can then upload a malicious file to this domain. When someone clicks on the link to download the file, they will actually download the malicious file from the attacker’s domain.
This is a new and serious risk, and it is important to be aware of it. This could lead to phishing attacks, where a threat actor registers a .zip or .mov domain with the same name as a file that someone is expecting to download, and then sends a link to that domain in an email or on social media. When the victim clicks on the link, they will be taken to the threat actor’s website, which may look like a legitimate website, and they may be tricked into entering their personal information or downloading malware.
Abuse of these domains has already been reported, with a phishing page registered at microsoft-office.zip.
Cybersecurity researchers have also shown how threat actors can use Unicode characters and the userinfo delimiter (@) in URLs to create convincing phishing links that look like legitimate file download URLs from GitHub or other websites.
How to protect yourself from .ZIP domains?
Some brands have already taken steps to protect their business, by blocking any domain name with the .ZIP TLD in it. Coates Information Security Manager, Mohamed Omran posted that Coates where “blocking the .zip TLD. What an absolute fiasco.“
Other organisations have proactively registered their brand in the .ZIP TLD in order to prevent 3rd party registrations. The least organisations should be doing is monitoring for any 3rd party domain name registrations within these new spaces to ensure that they, and their customers, are not targeted by phishers in this space.
About brandsec
bandsec is a corporate domain name management and brand protection company that looks after many of Australia, New Zealand and Asia’s top publicly listed brands. We provide monitoring and enforcement services, DNS, SSL Management, domain name brokerage and dispute management and brand security consultation services.