Google recently introduced a group of eight new top-level domains meant to expand the range of possibilities for website URLs and email addresses. Most of these, such as “.dad” and “.foo,” are unremarkable additions of the sort that normally pop up. But two that share common file extensions, “.zip” and “.mov,” are raising cyber risk alarms.
The ZIP file format is one of the oldest (and likely the most widely recognized) used for compressed file archives, and MOV is both a command for copying files in x86 assembly language and the longtime format of the popular QuickTime video files. At least one phishing page has already appeared that attempts to capitalize on potential confusion that this could generate.
Google’s new top-level domains criticized for creating unnecessary risk
One of the most immediate threats comes from software and online platforms, particularly social media, that automatically convert what they believe are URLs into clickable links. Someone posting instructions that include a ZIP or MOV file name might thus see that bit of the text automatically converted into a URL leading to one of these new top-level domains.
At best this would take the reader on a brief ride to nowhere. But at worst, it would take them to a domain controlled by an attacker that then attempts to pass malware or phish them. This seems to be on people’s minds already, as the newly-available top-level domains are being snapped up with an emphasis on common file names that might include sensitive information: “backup”, “update”, “financialstatement”, and so on. One that is already laying a phishing trap is “microsoft-office” (dot) zip. The URL displays a phishing page mocked up to look like the standard Microsoft account sign-in page.
Security researcher Bobby Rauch has also demonstrated another potential attack, which involves adding an “@” symbol in a URL that otherwise appears to lead to a legitimate ZIP file download. The URL would then redirect the user to an attack site hosted at one of the top-level domains owned by a threat actor.
Security experts divided on level of cyber risk
The condemnation of these new top-level domains is not universal in the cyber security community, with some of the opinion that the actual level of cyber risk is minimal. This side of the debate points to existing web browser mitigations that can be expanded to cover these new domains, and relatively trivial fixes on the part of social media platforms and forums that might be exploited.
Others say that any amount of new cyber risk introduced by these new top-level domains is unacceptable, as they have limited utility and are not really necessary for anything. For example, Google’s stated intent for the ZIP domain is to convey a sense of “zippiness” or loading speed, but one does not have to actually demonstrate that their site is fast or optimized to purchase such a domain. There is a similarly vague explanation for the intended marketing purpose of the .mov sites, as representing something that “moves” a person or that deals with moving pictures.
Some of the potentially vulnerable top-level domains are already being snapped up by those that feel there is a substantial cyber risk, or simply by well-meaning pranksters who don’t appear to be interested in doing harm. An example of the latter can be found at the “clientdocs (dot) zip” URL, which simply loads a text document that says “I AM HAVING FUN ON THE INTERNET” repeatedly. Numerous among the early .zip domain registrations also redirect to a famous Rick Astley video. And “setup (dot) zip” provides a warning to visitors about the potential risks of these URLs. There is at least one commercial beneficiary of these new top-level domains, however: the popular archiving tool 7Zip was quick to register “seven(dot)zip” as its new home.
Critics of the new top-level domains also point out that ICANN has a history of rejecting proposed domain names that could be abused in similar ways. In 2016 it banned “.mail,” “.corp” and “.home” from general availability. The Internet Assigned Numbers Authority (IANA) has also rejected a number of similarly exploitable domains that pose a cyber risk such as “.test,” “.invalid,” and “.localhost”.
The utility of these new top-level domains could also hinge on how commonly they are banned by administrators looking to head off problems, which in turn could depend on how many successful scams and attacks there are in the coming days. If more legitimate firms and software developers end up embracing the new URLs (for whatever reason), there may be a reason to allow them, but until then administrators may well conclude that the added cyber risk and headache generated by confused support tickets is not worth allowing them. Javvad Malik, Lead Security Awareness Advocate at KnowBe4, notes that they will definitely increase workload: “With the general availability of these domains, it becomes increasingly important for IT administrators and cybersecurity professionals to closely monitor websites. With phishing already the preferred tactic used by cyber criminals and nation-states, these TLD’s will only make it easier to trick unaware or distracted recipients. It’s important to adopt a vigilant approach towards domain registrations and usage. Just because a TLD can be registered, it doesn’t necessarily mean it should be registered. As such organizations will need to ensure they have strong layered defenses which includes having the right policies and ensuring staff receive timely and appropriate security awareness training to help detect and report any suspicious activity or emails.”