At Isometric we had a collective groan when Google decided to put .zip domains up for sale. Google Registry, announced eight new top-level domains (TLDs) which included .zip and .mov, creating a stir in the IT and cybersecurity sectors due to their obvious likeness to well-known and frequently used .zip and .mov file extensions.
TLDs are the letters that appear after the dot in a domain name (example.com, example.zip), have always acted as an identifier for the nature of the site you’re visiting. However, this function seems to be somewhat lost on many users, making Google’s attempt to symbolise speed with .zip domains seem a little laughable. On the other hand, many users are accustomed to recognising .zip as representing a compressed file, introducing a new layer of potential confusion.
In our world of cyber security, we’re often dealing with misdirection. Cybercriminals are fond of .zip files and have used them heavily in recent years in malicious email attachments. These files often kickstart a sequence known as an “attack chain”, where one bad file leads to another, all aimed at confusing users and deceiving security software.
The same tactics are applied to domain names, where criminals employ open redirects to mislead users into thinking their harmful URLs are links to trustworthy sites. The introduction of .zip domains only compounds the potential for confusion and deception, handing cybercriminals a new tool with seemingly no direct benefit for Google.
How it works
Consider this conundrum presented by security researcher Bobby Rauch in his article “The Dangers of Google’s .zip TLD”. He posed the question of which of these URLs would result in a malicious download:
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1.27.1.zip
The answer is the latter. The first opens a zip file, while the second takes you to the domain v1.27.1.zip which would trigger a harmful download. Would you have spotted this if you hadn’t been warned?
Even though URLs were already challenging to read, the addition of .zip domains only adds to the confusion. Despite Google’s positive contributions to computer security, this move is a notable misstep. As an MSP, we are baffled by this decision that adds no tangible value and opens doors for potential cybercrimes.
Or take the below example, a family member or even a work college may be sending you a legitimate file, but as they mentioned the filename in the email, some providers like Gmail automatically turn this into a URL.
This means if you click on the text “familyphotos.zip” in the email body, this could be directing you somewhere malicious unintentionally. As a hacker could purchase familyphotos.zip and host malicious content.
Conclusion
Currently, the threat from .zip domains remains small, with fewer than 4,000 registered at the time of writing. It remains to be seen whether cybercriminals will take advantage of these new domains or if they’ll ultimately be discarded.
The advent of .zip domains represents a confluence of digital realms—those of website domains and file extensions—that have, until now, remained distinct. This blend creates an opportunity for misuse, but it’s important to remember that while potential threats exist, the actual impact on the security landscape remains uncertain.
The introduction of these new TLDs doesn’t invalidate the foundational principles of good cybersecurity practice. As always, we advise vigilance when it comes to unfamiliar URLs, increased awareness of phishing tactics, and regular maintenance and updating of security software. Moreover, employee education remains crucial to bolster the first line of defence against these potential threats.
Ultimately, the effectiveness of these new TLDs for malicious purposes will depend on their adoption and use. If these domains are extensively used for legitimate purposes, they could become a prevalent part of the Internet landscape. Alternatively, if they’re predominantly used for nefarious ends, or if their utility is negated by widespread blocking, they might become a footnote in the history of the web.
Looking ahead, we are committed to navigating these new developments on behalf of our clients. We continue to monitor the evolving situation, ready to adapt our strategies as needed. This vigilant approach, coupled with our clients’ awareness and cooperation, will ensure we are all ready to face whatever challenges these new domains may present.
Google’s decision to introduce the .zip TLD might be seen as a misstep now, but it serves as a reminder that the world of cybersecurity is in constant flux. We’ll continue to respond to these changes swiftly and effectively, always prioritising the security and peace of mind of our clients. Because when it comes to cybersecurity, being proactive is always the best strategy.
Get in touch with us to ask about how you can mitigate the risk of .zip domains