Summary
A month ago, Google released eight new top level domains (TLD). Two of them (.zip and .mov) have been a cause for concern because they are similar to well known file extensions. Both .zip and .mov TLD are not new, as they have been available since 2014. The main concern is that anyone now can own a .zip or .mov domain and be abused for social engineering at a cheap price.
Because both of these TLDs are indistinguishable from the file extensions, they can be a great bait for threat actors. In this blog post, we will provide some samples of how threat actors can take advantage of .zip and .mov domains, and provide the current state of these domains just a month after their release.
The risks of .zip and .mov domains
ZIP and MOV are ubiquitous file extensions with which most users will be familiar. ZIP files are compressed archives used to store one or more files and are natively supported by every major OS. MOV is a popular video format that is widely used on Apple platforms and is the default format of videos in iOS devices.
The risk with the .zip and .mov domains is that attackers will be able to craft URLs that appear to be delivering ZIP and MOV files, but instead will redirect victims to malicious websites. Crafting URLs that look benign to the victims, but are actually malicious, is a common social engineering technique used by attackers. Some examples of domain spoofing techniques include IDN homograph or typosquatting where attackers register domains with typographical similarities to legitimate ones.
URL Scheme Abuse
One way attackers can take advantage of the .zip domain is through the URL scheme abuse. The sample malicious email below purports to be HR from a company that sends a “year-end performance review”. Users who have gone through phishing awareness drills might check if the domain of the URL is legitimate and might sometimes hover over the URL to see if it resolves to the same link. However when the user clicks on the link, they would actually go to the domain “year-end.zip” because anything before the “@” sign is considered user info and that is stripped off by some browsers.
From this example, threat actors may host a malicious file from the “year-end.zip” domain, or just phish for the target’s login information.
And since .zip domains are now available to the public, attackers can register domains that look like compressed files to use them in attacks, like the one we demonstrated above.
Here are some domains that were created to look like .zip files that Netskope Threat Labs has found as we monitor for abuse.
Event Driven Phishing
Another way threat actors can abuse the .zip domain is through event driven phishing. Scammers are known to use significant events as social engineering bait. For example, during the height of the COVID-19 pandemic, there was a lot of COVID-themed phishing. Similarly, tax-themed phishing usually comes along just in time for filing income tax returns. We can expect future significant events will be used as a theme for phishing emails. Combining this strategy with a .zip TLD can be a great tool for attackers, especially for event themes where users expect to receive file attachments.