Threats around the new ‘.zip’ TLD introduced by Google
Google recently announced that users could register for the newly launched 8 TLDs from 10 May 2023. These new TLDs are .foo, .zip, .mov, .nexus, .dad, .phd, .prof, .esq. Various security organizations and researchers have raised a concern, especially with the ‘.zip’.
Threats around the .zip domains are:
- Phishing attacks where users are asked to check their documents hosted on a fake document viewing or banking website with .zip TLD, leading to the harvesting of credentials or revealing sensitive information of users interacting with the websites.
- Increase in downloads of malicious software and documents
Normally, the ‘.zip’ extension is used to share compressed media over the internet. Such files are hosted on clouds, drives, and media-sharing sites. Campaigns by adversaries can leverage domains with .zip to host infected files, leading to systems being infected without the knowledge or consent of the victims.
To check the stats so far (upto 17 May 2023), I referred to this amazing repository by trickest that constantly monitors the internet for new .zip domains. Different sectors where using the .zip domain can have fraud and malicious campaigns with serious impacts are as given below.
I analyzed the .zip domains for keywords such as bank (8), gov (2), document (6), account (4), microsoft (7), outlook (4), customer (3), and tax (7). Most of these domains were found to be associated/communicating with malicious files.
For example, considering a phishing campaign, victims frequently get email attachments titled ‘bank statements’ from legitimate sources. Hosting domains with similar keywords would help in malicious redirects.
These domains can create confusion since users will be unsure whether they are clicking on any attachment or a malicious URL. Also, given the trends in different sectors below, the domains are using the keywords that have been used as attachments in the past.
For effective threat intelligence, this repository, by trickest, can be used to identify new trends propagating through .zip TLDs.
Additionally, use of .zip TLD can be exploited for hosting popularly used software with hidden malware. Some popularly used IT-based tools such as Canva, Dropbox, and Atlassian already have a registered domain under .zip TLD.
Hopefully, it is by the company to avoid campaigns targeting their brands and not by adversaries.