Google’s New .Zip and .Mov TLDs Spark Phishing Fears by Experts

Author: James Greening

June 8, 2023

We are all familiar with websites that have suffixes such as .com, .net and .org. These suffixes are called top-level domains (TLDs) and as per the Internet Assigned Numbers Authority (IANA), there are nearly 1,500 different TLDs managed by various registries. Over the years, there has been an expansion in the list of TLDs with additions like .xyz, .io, .ai and more.

Though TLDs themselves are harmless, hackers and scammers often combine domain names and TLDs to create malicious websites and links. For example, there is nothing stopping a scammer from purchasing a domain name like ‘amazon12[.]net’ and using it to create a nefarious website or email addresses. 

TLD abuse is rampant in phishing campaigns where an email may appear to originate from an official email address but is actually sent from a copycat email ID, for example ‘order-update@amazon12[.]net’. These tactics work because when someone sees the name of a trusted brand in a URL or email address, they are more likely to click on links leading to malicious websites and files.

New ‘.Zip’ TLD Courts Controversy for Google 

In May 2023, Google Registry announced 8 new top-level domains, namely, .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus. Cybersecurity experts raised flags about two of these TLDs - .zip and .mov - for being easily exploitable by hackers, scammers and spammers.

The criticism stems from the fact that .Zip and .Mov are two of the most popular computer file format extensions. TLDs being identical to file extensions is an existing problem - .com is also an executable file format, the Polish extension .pl also represents Perl scripts and .sh represents both Saint Helena and Unix shell scripts. However, the ubiquity of .zip and .mov file formats makes these new TLDs a lot more potentially harmful. 

.Zip is the file extension for compressed file archives and .Mov is one of the most common video file extensions. These file types are often included in email attachments and therefore a cybercriminal could theoretically purchase a .zip domain with the same name as a commonly used filename, such as “report.zip“ and direct victims via email to a phishing site containing malware. 

The threat is magnified when messaging platforms and social media sites automatically convert file names with .zip and .mov extensions into URLs. In the below example of Twitter, sending someone instructions on opening a zip file and accessing a MOV file leads to the filenames being converted into URLs.

Source: BleepingComputer

.Zip TLD Already Being Used for Phishing Lures

Netcraft investigated existing .Zip TLD registrations and confirmed that there is already evidence of fraudulent activity. The investigation uncovered 5,000 registered domains using .zip and phishing attacks were discovered on five of these domains impersonating brands such as Google, Microsoft and Okta.

microsoft-office[.]zip initially displayed ‘This is not a microsoft page’ before being modified to resemble an actual Microsoft sign-in page an hour later.

Sign-in panels displayed on microsoft-office[.]zip (Source: Netcraft)

There are many domains registered which are likely to be bad faith registrations, including:

  • Domains containing known brand names
  • Domains that mention ‘installer’ or ‘update’
  • Domains that mention banks by name, such as bankofamericasecurities[.]zip
  • URLs such as ‘attachment[.]zip’ or ‘video[.]mov’ that can plausibly be included in emails where the victim expects to download a file, but is linked to the domain instead
    Domains that contained or redirected to a .zip file. At least two were zip bombs deployed to disable antivirus software.

Google responded to concerns regarding the .zip domain with the following statement.

"The risk of confusion between domain names and file names is not a new one.  For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.

At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip. Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users."

Though there have been calls to Google for revoking these new TLDs due to potential abuse, it looks like they are here to stay. Always check links carefully before clicking them and avoid clicking on links in emails and text messages. 

Report a Scam!

Have you fallen for a hoax, bought a fake product? Report the site and warn others!

Help & Info

Popular Stories

As the influence of the internet rises, so does the prevalence of online scams. There are fraudsters making all kinds of claims to trap victims online - from fake investment opportunities to online stores - and the internet allows them to operate from any part of the world with anonymity. The ability to spot online scams is an important skill to have as the virtual world is increasingly becoming a part of every facet of our lives. The below tips will help you identify the signs which can indicate that a website could be a scam. Common Sense: Too Good To Be True When looking for goods online, a great deal can be very enticing. A Gucci bag or a new iPhone for half the price? Who wouldn’t want to grab such a deal? Scammers know this too and try to take advantage of the fact. If an online deal looks too good to be true, think twice and double-check things. The easiest way to do this is to simply check out the same product at competing websites (that you trust). If the difference in prices is huge, it might be better to double-check the rest of the website. Check Out the Social Media Links Social media is a core part of ecommerce businesses these days and consumers often expect online shops to have a social media presence. Scammers know this and often insert logos of social media sites on their websites. Scratching beneath the surface often reveals this fu

So the worst has come to pass - you realise you parted with your money too fast, and the site you used was a scam - what now? Well first of all, don’t despair!! If you think you have been scammed, the first port of call when having an issue is to simply ask for a refund. This is the first and easiest step to determine whether you are dealing with a genuine company or scammers. Sadly, getting your money back from a scammer is not as simple as just asking.  If you are indeed dealing with scammers, the procedure (and chance) of getting your money back varies depending on the payment method you used. PayPal Debit card/Credit card Bank transfer Wire transfer Google Pay Bitcoin PayPal If you used PayPal, you have a strong chance of getting your money back if you were scammed. On their website, you can file a dispute within 180 calendar days of your purchase. Conditions to file a dispute: The simplest situation is that you ordered from an online store and it has not arrived. In this case this is what PayPal states: "If your order never shows up and the seller can't provide proof of shipment or delivery, you'll get a full refund. It's that simple." The scammer has sent you a completely different item. For example, you ordered a PlayStation 4, but instead received only a Playstation controller.  The condition of the item was misrepresented on the product page. This could be the