What are the Hidden Dangers of .zip Domains and How Can they Mislead Users?

Google introduced eight new top-level domains at the beginning of May, such as .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus.

Over time, the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) has lifted limitations on TLDs, allowing businesses like Google to bid to sell access to more of them.

ICANN is the organization that is responsible for these TLD registrations. Domains ending with any characters like .xyz, .top, etc., are being registered by this ICANN.

The two TLDs “.mov” and “.zip” are particularly well-suited for taking phishing and other types of online fraud.

Cybercriminals have already begun using.zip names to trick people into believing they are downloadable files rather than URLs. 

Avast analysis reveals that one-third of the top 30.zip domains blocked by their threat detection engines misuse the names of well-known IT firms like Microsoft, Google, Amazon, and Paypal to deceive users into thinking they are files from reputable businesses.

A few TLDs that Avast comes across practically raise some suspicion. These include, among others,.xyz,.online,.biz,.info,.ru,.life, and.site.

.Zip Domain Security Risks

Mimicking Legitimate Companies

According to Avast, a big issue here is the possibility of file confusion and the resulting difficulties in distinguishing between local and remote sources, which might represent a security risk.

For educational reasons, if a prototype email is created that makes use of the fact that the attachment and the link might refer to entirely separate destinations.

Experts say utilizing a.zip domain to trick visitors is rather simple. Furthermore, the link preview can be altered to conceal the protocol, such as HTTP(S).

Top Blocked .zip Domains (Data Source: Internal Data Lake: May to June 2023)

The most appealing domains are those that are strongly associated with well-known, significant service providers.

These include microsoft-office[.]zip, microsoft[.]zip, csgo[.]zip, google-drive[.]zip, microsoftonedrive[.]zip, googlechrome[.]zip, and amazons3[.]zip.

Other perfect examples with a pdf keyword combined with a subdomain. Namely 226×227.pdf[.]zip, 2023-05.pdf[.].zip, cv3.pdf[.]zip, temp1_rsbu_12m2021.pdf[.]zip.

Top .zip Blocked Domains (1st April to 20th June)

The zip domains are attractive and perhaps enticing for fraudsters to utilize, but they create an audit trail and are simple to block.

Using old WordPress installations or insecure web servers is undoubtedly more difficult than registering a domain. This is also the cause of the lesser number of prevented attacks than anticipated.

Given the enormous amount of.com domains registered, it seems reasonable that their web shield blocks the majority of.com domains. A few domains jump out when they look at the remaining data, though.

File Archiver In The Browser

A new phishing kit, “file archiver in the browser,” exploits ZIP domains by presenting fraudulent WinRAR or Windows File Explorer windows in the browser, tricking users into executing malicious files.

Security researcher mr.d0x revealed a phishing attack that involved mimicking a browser-based file archiver software like WinRAR using a .zip domain to enhance its credibility.

The toolkit enables embedding a counterfeit WinRar window in the browser, creating the illusion of opening a ZIP archive and displaying its contents when accessing a .zip domain.

This phishing toolkit may be used by threat actors to steal credentials and spread malware.

Using “chatgpt5 [.]zip” to Trick Users

Hackers also Use “chatgpt5 [.]zip” to Trick Users into Downloading Malware. Threat actors employ creative names to disguise phishing attacks, with a new TLD ‘ .ZIP’ introducing a potential threat by chatgpt5 leading to malicious sites.

With internet evolution, countless gTLDs emerged for personalized web addresses, offering branding chances but also phishing opportunities that demand alertness.

The inclusion of ‘.ZIP’ as a gTLD adds complexity to phishing detection, particularly due to its association with compressed files, increasing confusion and providing phishers with a potent new tool for their attacks.

The hype around ChatGPT lead to the creation and registration of  “chatgpt5 [.]zip ” on May 20th, supposedly for the next GPT iteration, but surprisingly, it holds a neutral text message instead of malware.

To trick the users by claiming to safeguard students from malware, “assignment[.]zip” was registered by the threat actors, redirecting visitors to a download of a ZIP archive containing completely safe files.

Exploiting the widespread use of the. ZIP extension, malicious actors create campaigns and websites reminiscent of early domain squatting techniques.

Phishing Attempts Using Popular Office Software Suite Filenames

The cybersecurity company, Arctic Wolf has also detected some.zip domains that are being utilized for successful phishing attempts using popular office software suite filenames.

Based on previous phishing campaign tactics, methods, and procedures (TTPs), they anticipate that further threat actors will continue to employ these TLDs for their phishing domains in the foreseeable future. 

Risk of Sensitive Information Exposure

According to Talos, domains using the “.zip” and related TLDs enhance the risk of sensitive information exposure due to accidental DNS requests or web requests.

As soon as the new “.zip” TLDs became available, internet browsers or messaging applications like Telegram started recognizing strings that ended in “.zip” as URLs and automatically hyperlinking them.

A DNS or web request may occasionally be made in chat applications to display a thumbnail of the connected website, which is particularly troublesome.

Additionally, abuse of these domains is not theoretical, with cyber intel firm Silent Push Labs already discovering what appears to be a phishing page at microsoft-office[.]zip attempting to steal Microsoft Account credentials.

These developments have sparked a debate among developers, security researchers, and IT admins, with some feeling the fears are not warranted and others feeling that the ZIP and MOV TLDs add unnecessary risk to an already risky online environment.

Recommendation

  • Any.zip Top-Level Domains (TLDs) should be used with caution.
  • Keep a tight check on the online traffic for your business, especially on the lookout for any odd activity connected to it.TLDs in zip.
  • Consider putting in place extra filters for emails that include to further safeguard against possible dangers.TLDs in their content using zip.
  •  To guarantee that it is as effective as possible against the most recent threats, always keep your antivirus software updated.
  • To keep ahead of potential risks, read security alerts and updates about developing threats frequently.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.