The Risk of .zip and .mov TLDs: A New Attack Vector
This was originally an Insight on Wolf and Company, P.C. website. Original link here.
On May 3, 2023, Google tweeted that they are now granting the opportunity for people to buy websites that end with the .zip and .mov top-level domain (TLD). These TLDs have been available since 2014, but were significantly more expensive. With this introduction of new sites that can use the popular file extensions instead of well-known TLDs such as .com, .net, and .org, Google has introduced a whole new attack vector that malicious actors may be able to leverage.
First, we need to describe what a top-level domain (TLD) is. As described by Cloudflare, “In the DNS (Domain Name System) hierarchy, a top-level domain (TLD) represents the first stop after the root zone. In simpler terms, a TLD is everything that follows the final dot of a domain name. For example, in the domain name ‘google.com,’ ‘.com’ is the TLD.” Now DNS providers such as Google and Namecheap, with the approval of ICANN (Internet Corporation for Assigned Names and Numbers), can start issuing out .zip and .mov (an MPEG 4 container file that is primarily used with Apple’s QuickTime program) TLDs.
“Ok, Steve, what is the point of this article? Why should I care about .zip or .mov?” Well, say you receive an email from your colleague, possibly someone impersonating your colleague using Direct Send, and in the body of the email, they say to go to a hyperlink that ends with “.zip.”
Now, to us, a .zip file may be a compressed file extension that contains a malicious application or piece of software on it that might propagate throughout the entire network or may establish command and control (C2) via an external server.
This may also lead to a phishing landing page that asks for your credentials to open or download a file in Google Drive or Drop Box.
Either way, you may be introducing malicious software (malware) or entering your credentials into a fake website that is disguised as a Microsoft Login page or Google Account login page. Malicious actors may use this breaking news to develop new ways of attempting to introduce malware, steal credentials, or spam users.
In conclusion, the best way to defend against this is to block all .zip and .mov URLs in spam filtering coming from external sources and to ensure that your user base is up to date on the latest news and phishing awareness training. Whenever someone receives a .zip file extension in a hyperlink in an email, think twice before clicking on it as it could be a phishing link, a threat actor attempting to have an unsuspecting user download a file or a safe-to-download file.