in the beginning In May, Google released eight new top-level domains (TLDs) — suffixes at the end of URLs, such as “.com” or “.uk.” These little additions were developed decades ago to extend and organize URLs, and over the years, the Internet Corporation for Assigned Names and Numbers (ICANN) has loosened restrictions on TLDs so organizations like Google can bid to sell access to more of them. But while Google’s ad included nice offers like “.dad” and “.nexus,” it also debuted a pair of TLDs that are uniquely poised to invite phishing and other types of online fraud: “.zip” and “.mov”.
The two stand out because they are also common names for file extensions. The first, .zip, is ubiquitous for data compression, while .mov is a video format developed by Apple. The concern, which has already begun, is that filename-like URLs will open up more possibilities for digital scams like phishing that tricks web users into clicking on malicious links masquerading as something legitimate. Both areas can also extend the problem of misrecognizing file names as URLs and automatically adding links to file names. With this in mind, scammers can strategically buy .zip and .mov URLs that are also common filenames – think springbreak23.mov – so online references to a file with that name can automatically link to a malicious website.
“Attackers will use everything they can to get into an organization,” says Ronnie Tokazovsky, a longtime phishing researcher and principal threat advisor at cybersecurity firm Cofense. “Man, this all goes back so long now. Nothing has changed.”
Researchers are already starting to see malicious actors buying strategic .zip URLs and starting to test them in phishing campaigns. But feedback is mixed on how much of a negative impact .zip and .zip domains have. In addition, proxies and other traffic management tools already deploy anti-phishing protection to reduce the risk if users misclick – and .zip and .mov will simply be integrated into those defenses.
“The risk of confusing domain names with file names is not new. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows,” Google told WIRED in a statement. “Implementations have mitigations for this (such as Google Safe Browsing), and those mitigations will be true for a TLD such as .zip.” The company added that the Google Registry already includes mechanisms for suspending or removing malicious domains across all of the company’s top-level domains. “We will continue to monitor the use of .zip and other TLDs, and if new threats emerge, we will take appropriate action to protect users,” the company said.
Introducing more TLDs expands the number of URLs available to people. This means that you have more options and don’t necessarily have to pay a premium to buy the site name you want from an existing owner or speculator who has bought a bunch of historical URLs. And some in the security community feel that, given the already high risk of phishing attacks, extensions like .zip and .mov add a little extra risk.