[Mini] .ZIP becomes a TLD. Immediately used for Phishing, Data Leaks

[rcmaehl]

Summary

Google released a new TLD recently, .ZIP, which has immediately been used for phishing.

 

Media

 

Quotes

Quote

Google released .zip to the public recently. Cyber criminals are already using .zip domains in phishing campaigns. About 1230 names have been registered so far. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public [use]. Google has reduced the registration price to $15 per year for a .zip... less than halve the previous price. The price drop appears to have increased interest for .zip domains, and some new registrations are already used in phishing campaigns. The .zip extension allows cyber criminals to run phishing campaigns that abuse the fact that .zip is a popular file extension and also a top level domain. Domains such as officeupdate.zip or microsoft-office.zip have already been used. Use in phishing campaigns is just one new option that cyber criminals have when it comes to .zip domains. Some applications may attach hyperlinks to ZIP file names now, which may lead to the firing of DNS queries and the leaking of information to the .zip domain. Another,,, new top level domains might cause similar issues. .mov is also available... and it too is also a file extension, albeit not as popular as .zip.

 

My thoughts

Well this seems like an absolutely idiotic move. I'm considering registering some common .zip file names just to see what kind of traffic I get. I'm just surprised that such a popular file extension was allowed to become a TLD. Sure, there's a lot of extensions that are probably already a TLD, but none this popular.

 

Sources

Ghacks (quote source)

Financialstatement.zip (currently ragging on Google)

[LAwLz]

I don't really see how this is any worse than the countless of other phishing sites that look similar to legitimate ones.

I don't think people are more or less likely to fall for a scam like this just because it ends in .zip.

 

It's a pretty funny/cool TLD however. 

[CarlBar]

What the hell is TLD?

[rcmaehl]

1 minute ago, CarlBar said:

What the hell is TLD?

.com .org .net .gov .co.uk .zip .info

 

et al

[CarlBar]

Cheers. Okay yeah thats just weird as a think to have.

[Needfuldoer]

15 minutes ago, LAwLz said:

I don't really see how this is any worse than the countless of other phishing sites that look similar to legitimate ones.

I don't think people are more or less likely to fall for a scam like this just because it ends in .zip.

 

It's a pretty funny/cool TLD however. 

Problem is, .zip has been a common file extension for over 30 years. This could catch even experienced users (who are unaware of the new TLD) who would assume it's just a link to a file.

 

11 minutes ago, CarlBar said:

What the hell is TLD?

Top Level Domain, like .com, .net, .gov, .horse...

[Thaldor]

7 minutes ago, CarlBar said:

What the hell is TLD?

Top Layer Domain. As in the www.linustechtips.com you basicly have three addresses (domains), www is under linustechtips which can be found from com.

 

I too don't see here anything more dangerous than we already have. Like it's already everyday thing to see "microsoft.com.jkfdhakh.xyz" domains trying to be presented as microsoft.com. Hell, they can be even longer and with dashes to really try to hide the actual domain beneath subdomains. Not to include using some real domain but redirecting it half way to somewhere else.

[LAwLz]

49 minutes ago, Needfuldoer said:

Problem is, .zip has been a common file extension for over 30 years. This could catch even experienced users (who are unaware of the new TLD) who would assume it's just a link to a file.

I just don't really see how that makes it more susceptible to scams.

 

If we're talking about the links themselves then it doesn't matter, because we can change links to say whatever we want such as google.zip going to google.com.

If we are talking about people who already opened the link and look in their browser address field to try and decipher if it's a scam or not then I don't think microsoft-office.zip would tip them off more than microsoft-office.xyz would.

 

I don't think this will make a difference in terms of the amount of scams or how many fall for the scams. Hopefully I am not wrong but maybe we will see.

[Quackers101]

thought it was about extentions and maybe a bit like a crypto address. But I guess its more like those domains, like a ".com" etc.

But have never liked the "progression" of web URLs, be it redirects, tiny, or certain pages on a site will fall into other areas like .html or .co.uk (country or file specific) etc. how the f** would I know which one of them are real as an average user, and if it was a bad redirect?

the worst part if it got other parts of the system, like a real enough microsoft email, with this link, think it might could be a new thing / new process.
to me, most emails now is just an unsecure hell hole, and why I like to go to the site instead of through some wtf link to who knows where.

[starsmine]

Doesnt this happen every single time a TLD is released?

[Arika]

5 hours ago, CarlBar said:

What the hell is TLD?

Too long didn't

[DrMacintosh]

Popularize not using any site that isn't .com, .org, or .edu. 

[Stahlmann]

4 hours ago, DrMacintosh said:

Popularize not using any site that isn't .com, .org, or .edu. 

Or the country specific ones like .co.uk, .de, etc.

[Quackers101]

13 hours ago, Stahlmann said:

Or the country specific ones like .co.uk, .de, etc.

but I want a site being .co.uk.us.de.swe.np.npl

[NinJake]

18 hours ago, DrMacintosh said:

Popularize not using any site that isn't .com, .org, or .edu. 

Don't forget .gov! If anything, a .gov could be considered much more legitimate at a glance as it should be more involved to get registered to such a TLD.

 

Source: https://get.gov/registration/requirements/

[Wireless G-Spot]

Apparently .zip is going to become a new top level domain.  There's concerns that it could be used to facilitate attacks.   What does do you guys think about this situation? 

 

Additional reading: <link removed>

Edited May 17, 2023 by SansVarnic
Link removed

[FI Fheonix]

1 hour ago, Wireless G-Spot said:

Apparently .zip is going to become a new top level domain.  There's concerns that it could be used to facilitate attacks.   What does do you guys think about this situation? 

 

Additional reading: <removed>

Just be careful what you download...

Edited May 17, 2023 by SansVarnic
Removed content.

[Thaldor]

1 hour ago, Wireless G-Spot said:

Apparently .zip is going to become a new top level domain.  There's concerns that it could be used to facilitate attacks.   What does do you guys think about this situation? 

 

Additional reading: <removed>

Doesn't really change anything.

Probably biggest ones would be hiding hyperlink objects as Zip-files but at that moment you have way earlier steps in cybersecurity to patch up, like downloading files from unknown sources and having some malware already in your system that would change the icons of hyperlinks to zip-file icons.

 

But otherwise, nothing that cannot be done already or doesn't happen whenever new TLD is launched.
like already if you don't really read the link you are jumping in and don't notice the "www.microsoft.google.com.hgfioehfe.xyz" trap, having .zip-domain really doesn't make things any different.

Edited May 17, 2023 by SansVarnic
Removed content.

[OhioYJ]

Wouldn't it be pretty easy to just block .zip domains across the board on your firewall.

 

I can't imagine legitimate companies / sites using this. Honestly how many sites do you use that aren't .com or .org? I'll occasionally come across the rare .net, but honestly I could likely even block that and be fine. 

 

I didn't even bother to register other versions of my own my domain. 

[SansVarnic]

-= Shortened Link Removed =-

Shortened links are not allowed, please post only full links.

[CerealExperimentsLain]

18 minutes ago, OhioYJ said:

Wouldn't it be pretty easy to just block .zip domains across the board on your firewall.

 

I can't imagine legitimate companies / sites using this. Honestly how many sites do you use that aren't .com or .org? I'll occasionally come across the rare .net, but honestly I could likely even block that and be fine. 

 

I didn't even bother to register other versions of my own my domain. 

I'm gonna need to find a guide to literally block all .zip on my pfSense box.

[OhioYJ]

6 minutes ago, CerealExperimentsLain said:

I'm gonna need to find a guide to literally block all .zip on my pfSense box.

I'm not to worried about it yet. It looks like it built into pfblockng. 

 

Based on this very old post. - I haven't logged into my box to see if those instructions still line up with newer versions at all yet.

[CerealExperimentsLain]

3 minutes ago, OhioYJ said:

I'm not to worried about it yet. It looks like it built into pfblockng. 

 

Based on this very old post. - I haven't logged into my box to see if those instructions still line up with newer versions at all yet.

Eh I've seen some example of 'URLs that would trick users' and while I consider myself computer savvy, some of those I'd fall for at a glance.  Especially if say, searching for old abandonware PC titles from 'typical sorts of websites' for the sake of my retro PC gaming hobby.

[rcmaehl]

12 hours ago, CerealExperimentsLain said:

Eh I've seen some example of 'URLs that would trick users' and while I consider myself computer savvy, some of those I'd fall for at a glance.  Especially if say, searching for old abandonware PC titles from 'typical sorts of websites' for the sake of my retro PC gaming hobby.

Yeah, especially online. I'd now have to verify if a .zip link on a form is to an attachment or to an external site

[LAwLz]

2 hours ago, rcmaehl said:

Yeah, especially online. I'd now have to verify if a .zip link on a form is to an attachment or to an external site

If it's an attachment, it's always a file.

If it's a link, you can tell because it will open in your browser (which usually don't open .zip files), and it will be a domain name (www.test.zip) instead of an URI with a path in it (www.test.zip/test.zip).

 

But to the people who are worried about getting scammed, you shouldn't open strange links or download strange files anyway. This would only be an issue if you used to trust random .zip files someone sent you, which you shouldn't have done to begin with.