May 19, 2023 06:00:00

Acquisition of domains that are likely to be abused increases with the emergence of top-level domains that are confusing with file extensions such as ``.zip'' and ``.mov''

In May 2023,

Google Registry , Google's domain registry service, began accepting general registrations for eight new top-level domains (TLDs) . However, among the 8 domains for which registrations have been newly accepted, ``.zip'' and ``.mov'', which are often used as file extensions, are included, and many domains that are likely to be abused have already been acquired. has also been reported.

New ZIP domains spark debate among cybersecurity experts
https://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/

The Dangers of Google's .zip TLD. Can you quickly tell which of the URLs… | by Bobbyr | May, 2023 | Medium
https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5

Google's .zip and .mov domains aren't the end of the world • The Register
https://www.theregister.com/2023/05/17/google_zip_mov_domains/

TLD is attached to the end of the URL even in the domain, and famous ones include '.com', '.net' and '.org'. The Google Registry has now started accepting registrations for the TLDs ``.dad'', ``.esq'', ``.prof'', ``.phd'', ``.nexus'', ``.foo'', ``.zip'', and ``.mov'', allowing the general public and businesses can now purchase to host their websites and email addresses.

However, among these, '.zip' is widely used as an extension of ZIP , which is a file format for compressed data and archives, and '.mov' is widely used as an extension for multimedia files such as movies.

Some internet services and web services have a function that automatically adds a link when a URL is included in a message so that you can click or tap to move to the website. In this case, if you try to open a ZIP file or MOV file, you will be sent to a website, and there is a risk of encountering a phishing scam or installing malware.

As a test, send a direct message on Twitter saying, 'First, open the test.zip file, then search for the test.mov file. When you find the test.mov file, double-click it to watch the video.' When I tried it, the strings ``test.zip'' and ``test.mov'' were recognized as URLs and added with links, and when clicked, they moved to the website.

If the URL is included in the text in this way, it may be misunderstood as 'Can you download the file at this link destination?' It has been pointed out that if a malicious person acquires domains such as 'test.zip' and 'test.mov' and operates a malicious website, it may pose a security risk. .

Should the '.zip' domain, which has begun general registration, be revoked? -GIGAZINE

Cyber intelligence company Silent Push Labs has already reported that the domain 'microsoft-office.zip' has been acquired and is operating a website believed to be aimed at phishing scams.

Security researcher Germán Fernández has already discovered real services and software such as ``chrome-installer.zip'', ``documents-buckup.zip'', ``google-analytics.zip'', ``microsoftoutlook.zip'', and ``office365-update.zip''. reported that many domains that could easily be confused with and abused have been acquired.

Some recently registered .ZIP domains ???? pic.twitter.com/rxEUa9D6iQ

— Germán Fernández (@1ZRR4H) May 14, 2023

Security researcher Bobby Rauch also notes that Unicode characters that look like a '/' but aren't are used to generate phishing links that trick Chrome, and that inserting an '@' into a URL can be used to hack files. He explained that there are various risks of abuse, such as being able to lead to a website from a URL disguised for download.

However, some experts such as Eric Lawrence, the main developer of Microsoft Edge, and Troy Hunt, the developer of the email address leak confirmation service ' Have I been Pwned? ' Some people argue that it wouldn't be a big deal if .mov or '.mov' became a TLD.

Mr. Lawrence said that it is possible to slip '.zip' into the URL for a long time, and the problem that '.zip' is recognized as a URL by web services and applications is also a problem of programs written in Perl. Pointed out that it has been occurring for a long time with ``.pl'', which is an extension and also a country code for Poland. Although it is possible to direct users to unintended websites with automatic links, it is not a very attractive attack vector.

Hunt also pointed out that it is difficult for humans to distinguish ``which URL is legitimate and which is not'' in the first place, and there is no big difference when ``.zip'' becomes a TLD.

Read it? Good, here's the problem: let's start with the opening para which asserts that you can't quickly tell which URL is legit due to the .zip TLD. That's true, you can't. But which URL in the second image is the real Google blog site? https://t.co/1SqKI2KWju pic.twitter.com/xGg4eIXqMS

— Troy Hunt (@troyhunt) May 17, 2023

In a statement to tech media BleepingComputer, Google said, ``The confusion between domain names and filenames is not a new risk. Google takes phishing and malware issues seriously, and the Google Registry has an existing policy to suspend or remove malicious domains for all TLDs, including .zip. We have a mechanism in place: We will continue to monitor the usage of .zip and other TLDs and take appropriate steps to protect our users in the event of new threats.'

BleepingComputer said, 'As we all know, clicking on links or downloading files sent from people or websites you don't trust is dangerous. Like any link, the message reads: If you see a .zip or .mov link, look it up before clicking it.If you're still not sure if the link is safe, don't click it.Following these simple steps will help you get your new TLD will have minimal impact and will not significantly increase risk.'