Is the new .zip top-level domain a cyber security risk?

Security experts have warned that the new ‘.zip’ top-level domain (TLD) could facilitate the spread of malware and undermine legitimate sources.

TLDs are the letters that follow the final period in a URL, such as ‘.com’, and at the start of May, Google announced the release of eight new options: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus.

While most of the new TLDs were made to tie in with specific job titles, concerns have been raised about the potential for the two that resemble file extensions - ‘.zip’ and ‘.mov’- to be used by hackers seeking to trick unsuspecting users into entering malicious domains.

Zipped archives are widely used in business as they allow large amounts of data to be shared in a compressed format, and for their compatibility across macOS, Windows, and Linux.

Using the ‘.zip’ TLD to mask illegitimate links as files to download could drive a rise in phishing attacks, or push malicious .zip files such as those used in recent Emotet botnet campaigns via domains that resemble innocent files.

There is a concern that automatic hyperlinkers, the processes that convert text such as ‘google.com’ into a link within communication software such as emails, will inadvertently change references to .zip or files into links.

In practice, threat actors could choose likely .zip or file names for their domains and wait for victims to accidentally link to them in their correspondences or on social media.

For example, a manager could make a post referencing a specific file on their company’s intranet e.g. ‘tax-policy.zip’ and accidentally create a hyperlink which users could easily mistake for an intentional link to the file in question.

“As an attacker, all I have to do is register the documents-backup.zip domain and upload a malicious zip file to the root of the domain,” wrote Reddit user LudwikTR.

“It will start downloading as soon as someone opens http://documents-backup.zip. The individual clicking on the link expects a ZIP file to download - and it will, but it will be a malicious file from a third-party, not from the author of the message or a post.”

Developer and blogger Eric Lawrence wrote that as long as automatic hyperlinkers are instructed to exclude domains ending in .zip or .mov, this issue is unlikely to arise.

It’s possible that the concerns could spark a wider conversation around automatic links being generated, particularly in software commonly used for phishing such as emails. 

For security purposes, users might prefer to manually select which sections of their written text are intended to be links which could circumvent the problem.

Lawrence also noted that some TLDs automatically fall under HTTPS rather than HTTP via the HTTP Strict Transport Security policy, and that to get an HTTPS certificate domain registrants often have to go on the record with Certificate Transparency, where suspicious domain names could be easily spotted.

This could prevent attackers from establishing deceptively-named websites in the first place, whether for passive attacks on victims in the manner described or for spear phishing attacks with links disguised as file names in messages sent to targets.

As F5 noted in its 2021 TLS Telemetry Report, however, 83% of phishing sites were found to use valid HTTPS certificates, a reminder that an HTTPS site is not guaranteed to be safe.

What’s in a domain name?

Choosing a domain name is an important process for businesses, as a website can be the sole aspect of a company facing customers and must be easy to find and appear trustworthy or relevant.

Most businesses opt for ‘.com’ or a region-specific TLD, though smaller companies sometimes go for market-specific domains to stand out such as ‘.ai’.

Palo Alto Networks research revealed that the majority of malicious domains were found within a small range of TLDs; 99% of all domains are found at 219 TLDs, but the same proportion of command and control (C2) domains span just 29 TLDs. 

Even the most widely spread malware domains, such as those used for phishing, were found at 92 TLDs in 99% of cases out of the 1,479 total TLDs.

It remains to be seen whether ‘.zip’ will become widely used for malware attacks, but as attackers are seemingly limited to using it for the attacks described it may remain a domain used for both legitimate purposes and the most niche malware sites.