Vanja Ćosić

Google unleashes the .zip TLD on us

Earlier this month, Google announced the availability of a handful of new TLDs1:

Today, we’re adding eight new extensions to the internet: .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus.

Skimming over the list, the .zip and .mov domains stand out because they are also common file endings for archive files and video files.

Both file formats have been around for decades2 and the introduction of domains that look identical is making a lot of security professionals nervous, myself included.

The concern is that these domains will be prime opportunities for phishing attacks and other cyber-shenanigans, since it further blurs the lines between a file and a URL. This has the potential to undo a lot of the hard work done to train people to recognize malicious links.3

In a post titled The Dangers of Google’s .zip TLD, one security researcher demonstrates how such an attack would work. By combining special characters and one of these new domains (eg. v1271.zip) to craft incredibly convincing phishing URLs:

Phishing demonstration
Evil:
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
Legitimate:
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

Another concern is due to many websites and apps automatically detecting URLs in text and turning them into clickable links. So for example, old tweets where mentions of “vacationphotos.zip” in the text are turned into working URLs, now pointing to domains that are just waiting to be purchased by someone.

It didn’t take many days before attacks in the wild appeared, here’s an example from Google’s .zip Top Level domain is already used in phishing attacks:

Domains such as officeupdate.zip or microsoft-office.zip have already been used in phishing campaigns. The latter is still online but safe browsing should warn users prior to accessing the site in question.

Many security professionals and organizations are already recommending administrators to entirely block access to these new TLDs, so perhaps hold off on buying them for your next big project.

  1. The .zip TLD was approved in 2014 but Google did not make it generally available until May 2023↩︎

  2. The .zip file format was introduced in 1989 and .mov in 1991 ↩︎

  3. Sure, these are not the first or only TLDs that look like filetypes, but one could argue that most people recognize .com as a domain extension and not a binary format for DOS↩︎