Two of the entries among Google’s latest crop of approved top-level domains, “.zip” and “.mov,” are causing some controversy for reasons that are probably apparent to longtime computer users. Some security experts say that these domains create unacceptable new cyber risks, while others believe that new threats will be minimal. The debate is already being put to the test as at least one phishing site has been discovered at a “.zip” site corresponding with popular software.
New cyber risk up for debate, but threat actors are already active
It remains to be seen exactly how serious of a cyber risk these new top-level domains will be, but some system administrators are already blocking them out entirely as phishing sites emerge and security researchers demonstrate how legitimate URLs can be convincingly modified to trick victims.
The strongest argument against the new top-level domains, at least at present, seems to be that there is no substantial organic demand for them. 7Zip was quick to register a domain for themselves, but there are few other businesses that come readily to mind when thinking of how these two domain names might be applied. They seem to be of more interest to threat actors than anyone else, especially those that like to employ a ZIP file as part of their attack chain.
Some of the domain names that present the greatest cyber risk have already been registered, and some appear to be in the hands of cybersecurity professionals or people only interested in harmless jokes (“Rickrolling” seems to be an extremely popular use for the new top-level domains). But many have been left to wonder why ICANN and IANA would sign off on applications for domains of this sort, particularly when they have banned similar abuse-friendly names with little commercial upside (like “.invalid”) before.
New top-level domains used for phishing
Some online platforms, discussion forums and pieces of software will automatically turn a fragment of text into a URL if they believe that was the user’s intention. That could be a problem whenever anyone references a ZIP or MOV file going forward. The software might auto-fill a URL in place of a file name with the new top-level domains in place, and that URL could possibly lead to an attack site.
At least one malicious actor, whomever registered “microsoft-office” with the ZIP domain, appears to be banking on this possibility. That site displays a phishing page made up to look like a typical login page for Microsoft accounts. And security researcher Bobby Rauch has demonstrated that GitHub (among numerous other sites) could be vulnerable to a link-altering attack that targets a Unicode character issue in the Chrome browser. Attackers could replace legitimate forward-slashes with a lookalike character that displays in Chrome, add an “@” to the end of the URL, and send people believing they are accessing a legitimate file download to an attack site instead.
Administrators will have to carefully assess the cyber risk of these new top-level domains versus how likely it is that access to a legitimate one will be needed during normal business operations. But if these domains end up being widely blocked, they will likely plummet in price, which will further make them attractive only to a criminal element.