Google’s recent introduction of .zip and .mov domains has created a stir in the cybersecurity landscape. Threat actors could exploit the feature to trick unsuspecting users into downloading malicious zip and mov files.
Google’s introduction of the ZIP and MOV internet domains last May has sparked a debate among cybersecurity experts over concerns about potential phishing and malware attacks by threat actors.
Google has developed eight new TLD (top-level domains) that website owners can purchase for hosting email addresses and their sites. Cybersecurity experts have raised concerns about introducing these domains since malicious players use .zip files while executing phishing attacks.
The other six TLDs introduced by Google include .phd, .nexus, .dad, .esq, .prof, and .foo. Interestingly, Google introduced the MOV and ZIP domains in 2014. However, they weren’t publicly available all these years. Now that website owners can use ZIP and MOV domains, threat actors might find an opportunity to exploit the vulnerabilities.
Cybersecurity experts consider these domains risky since the TLDs replicate file extensions commonly used for phishing. Messages, forum posts, and online discussions extensively use these file types.
The file names would be automatically transformed into URLs by relevant applications or online platforms. With phishing and cybersecurity breaches rising, security experts have warned of possible exploitation of this opportunity by attack vectors.
What Makes ZIP and MOV Domains a Point of Concern?
MPEG 4 videos and ZIP archives are among the internet’s most widely used file types. The respective file names end with .mov and .zip extensions. Internet users commonly post instructions that contain filenames with these extensions.
The concern arises with the conversion of these file extensions into TLDs. Some social media sites and messaging platforms will likely convert file names ending with .zip and .mov extensions automatically into URLs.
For instance, if a user sends a message to someone using a MOV or ZIP file, the filenames get converted to URLs. The recipient at the other end tries to download the files by clicking the URLs.
The threat arises with the chances of an attack vector owning a .zip domain while replicating the filename. Unsuspecting users might be prompted to visit the site and become victims of a phishing attack. They may download the malware considering the URL to be secure, given that its source looked authentic.
Cybersecurity experts don’t expect malicious players to register thousands of ZIP or MOV domains to scam a few victims. However, trapping a single corporate employee and installing the malware in the system could jeopardize the entire network.
The concerns among cybersecurity experts aren’t mere speculation. One of the cyber intelligence organizations has already discovered a probable link at microsoft-office[.]zip, trying to steal credentials from Microsoft accounts.
Cybersecurity researchers have started monitoring these domains and researching the development of phishing links through user info delimiter (@) and Unicode characters in URLs. The research reveals how malicious actors replicate file download URLs to create phishing URLs on GitHub. However, a potential victim lands on a different fake website.
Here’s What Cybersecurity Experts Say
Google’s recent ZIP and MOV domains launch has prompted cybersecurity researchers to express varied opinions. While some believe introducing the new TLDs is a threat, others feel the fears are not warranted.
Website owners have started registering .zip domains related to popular ZIP archives like backup.zip, attachment.zip, officeupdate.zip, update.zip, and financialstatement.zip. One of the open-source developers, Matt Holt, has also requested to remove the ZIP TLD from the Public Suffix List of Mozilla. This list contains a collection of all the public top-level domains that browsers and applications can incorporate.
However, the PSL community (a Mozilla community volunteers-led initiative also called as PSL or Public Suffix List, it helps in maintaining the integrity and security of online user interactions by preventing the mixing of cookies between distinct domains.) was prompt to explain that though TLDs involved slight risk, they remained valid.
Therefore, they should not be removed as the operation of genuine websites would be affected as an outcome. One expert stated that the expressed concern is an example of inadequate coordination between the security and developer communities. These professionals need to engage better to weed out these risks.
How Can Internet Users Remain Safe?
Internet users need to draw their line of security against the new attack vectors. There isn’t enough reason to worry if you already have an adequate defense mechanism against phishing sites.
As a standard protocol to secure yourself from phishing, cybersecurity experts recommend not clicking links from unknown sources or downloading files from untrusted websites. If you find a .zip or .mov link in your email or inbox, hold the urge to click it immediately.
Make sure to research the site’s legitimacy before proceeding. If you aren’t sure about the file’s safety, you must not click it open.
Final Words
The introduction of the two Google TLDs has made an increased level of cyber awareness necessary on your end. Businesses and enterprises can secure themselves from attack vectors by using spam filters to prevent malicious emails from landing in their inbox.
Avoiding clicking on suspicious links and adhering to other cybersecurity best practices are vital to protecting yourself from emerging attack vectors.