Cyber Security Threat Summary:
“Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs” (Bleeping Computer, 2023).

The ZIP and MOV Top level domains have actually been around since 2014, but it wasn’t until recently that they were available for anyone to purchase. Because ZIP and MOV are extensions of files commonly shared in forum posts, messages, and online discussions and some messaging platforms, some social media sites will automatically convert file names with .zip and .mov extensions into URLs.

People may click on a URL thinking they are downloading an associated file, but threat actors may own the .zip domain with the same name. A victim may accidently visit the site and fall for a phishing scam or download malware, thinking the URL is safe because it came from a trusted source. Bleeping Computer notes that “it's very unlikely that threat actors will register thousands of domains to capture a few victims, but you only need one corporate employee to mistakenly install malware for an entire network to be affected.”

Security Officer Comments:
This new attack vector is not theoretical. Cybersecurity researchers from Silent Push have already discovered a phishing page microsoft-office[.]zip attempting to steal Microsoft Account credentials. Many researchers are warning of the unnecessary risk these new domains add to their already risky online environments. “People have begun registering .zip domains that are associated with common ZIP archives, such as update[.]zip, financialstatement[.]zip, setup[.]zip, attachment[.]zip, officeupdate[.]zip, and backup[.]zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information” (Bleeping Computer, 2023).

While some researchers have expressed concerns, others say that there are plenty of legitimate uses cases for the domains, aside from a few bad examples. Others claim the fears regarding these new domains are overblown. When BleepingComputer contacted Google about these concerns, they said that the risk of confusion between file and domain names is not new, and browser mitigations are in place to protect users from abuse. "The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command[.]com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.

Google says they have mechanisms in place to monitor the usage of the new domains, and if new threats emerge, they will take appropriate action to protect users.

Suggested Correction(s):
General advice regarding mitigation, is that no specific actions are required to protect yourself from these new domains. Following previous best practices of not clicking links from people or downloading files from sites you do not trust will prevent these attacks even if .zip or .mov is used.

Like any link, if you see a .zip or .mov link in a message, research it before clicking on it. If you are still unsure if the link is safe, do not click on it. However, the exposure to these links will likely increase as more applications automatically turn ZIP and MOV filenames into links, giving you one more thing to be careful about when online.

Since the use cases for these domains from a corporate perspective may be low. It is likely many organizations may be able to block domains using these TLD all together.