.zip Domain Security Concerns

Google’s latest extension of web addresses has been met with concerns about potential attacks. People who deal in cybersecurity products have had reactions that range from eye-rolling to banging heads on desks. So, what’s this all about and why is it a problem?

Google has recently launched eight new Top-Level Domains, for Dads, Grads, and Techies. These are .dad, .phd, .prof, .esq, .foo, .nexus, .mov, .zip.

Top-Level Domain (TLD) refers to the .com part of a website address, so these TLDs offer new options for website addresses. However, cybersecurity professionals are concerned that the last two will create new ways for threat actors to trick users into clicking links that look legitimate, but actually point to a malicious site.

.mov and .zip are also two of the most common file extensions, with .mov being video files, and .zip being collections of files that are intended to be sent together and unpacked at the other end.

What Problems Does This Cause?

People are frequently warned against following links that look suspicious, so threat actors are always looking for new ways to not look suspicious. The .zip domain makes this easier for threat actors.

The big problem is that it’s easy to make a link to a .zip domain look like a file hosted on a website owned by a company that is trusted.

Zip files especially a convenient way to transfer multiple files online. They let you send one large file instead of many smaller ones, like putting several items into a box and carrying that, then unpacking it when you get there instead of carrying each item separately. Websites that have files a user might legitimately want to download, such as drivers, documentation, or batches of photos or videos, often distribute them in zip format.

A threat actor can send a link that looks like it goes to a .zip file stored on a trusted website. A user is less likely to click on a link that leads to an address they don’t recognise or trust. You might get sent a link that asks you to download the following:  https://company.com/@file.zip

How Does This Threat Work?

The trick here is with the @ sign. In a URL, the @ sign represents that the text before it is a password to be sent to the website, meaning that the actual site you’ll visit is https://file.zip, instead of visiting https://company.com/file.zip. The company.com part becomes a password sent with the link, instead of part of the actual URL.

This .zip domain can be anything the threat actor wants and it’s easy to change just by registering a new domain name. As .zip files online are regularly updated, the threat actor can register domains that end in new version numbers whenever a domain is caught and blocked, like file_v2.zip or file_v3.zip.

It gets even worse though, as emails and websites often automatically turn web addresses into hyperlinks, so if a webpage or email refers to a .zip file, it might be turned into a hyperlink that leads to a completely unrelated website. This has already happened, with one .zip domain that uses the name of a known malicious zip file that is dangerous to unzip now being hosted on a domain of the same name to trick users into downloading it and opening it.

What Can Be Done?

To protect yourself from this threat, check links carefully for the @ symbol before clicking them, as it can be a sign of malicious links. Before clicking on links, it’s also recommended to hover over them, as Outlook will show the URL as a tooltip, and web browsers will show the URL at the bottom of the screen. This could reveal that the link is not quite what it claims to be.

When in doubt, contact an IT professional or your IT department for advice.