Google recently unveiled eight new top-level domains (TLDs) designed to inspire fathers (.dad), graduates (.prof, .phd, and .esq), and tech enthusiasts (.foo, .zip, .mov, and .nexus), but at least two of those present a significant cybersecurity risk, experts have warned1.
The TLDs in question - .zip and .mov - share their name with common file formats (ZIP archives and video files) that exist outside of the Internet’s four walls, which many cybersecurity experts are calling out for being misleading1.
While other similarly vulnerable TLDs have been rolled out in the past, such as .docs, the introduction of two more increase the chances of a scam or phishing attack, giving threat actors more routes1.
A legitimate website with any TLD, including ‘dangerous’ examples like .zip, could include a help section describing the process required to open a zipped file, for example. Should that file be named - in our case, example.zip - a user’s browser may then automatically add a hyperlink because it knows that .zip is a legitimate TLD, even though in our case the page refers to a local file and not a website1.
While the file itself is safe, a threat actor could have already registered a website under that domain in the hope that unsuspecting users click on hyperlinks that lead them to a malicious page that could be the host to malware, phishing attacks, or other scams1.
Already, a series of concerning domains have been registered under the new and risky TLDs in the hope that someone, somewhere, has referred to the file name on a web page, which will then be converted to a hyperlink to their malicious site1.
According to the SANS Internet Storm Center, about 1230 names have been registered so far under the .zip TLD. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public registration alongside seven other domain extensions2.
The .zip extension allows cyber criminals to run phishing campaigns that abuse the fact that .zip is a popular file extension and also a top level domain. Domains such as officeupdate.zip or microsoft-office.zip have already been used in phishing campaigns2. The latter is still online but safe browsing should warn users prior to accessing the site in question2.
Several of the registered domains could be used in phishing campaigns, while others may be used for legitimate purposes. The makers of archiving software might register a matching domain name for their products2. Most of the registered domains have not been set up to display web content. The message "the site can’t be reached" or similar messages are displayed in this case2.
While there are some steps that a user can take to be more savvy when it comes to following potentially risky links, some of the responsibility must ultimately fall with Google. The company did not immediately respond to TechRadar Pro ’s request for comment1.
Some of the steps that users can take are: