Overview of .zip Top-Level Domain Cyber Threat

At the beginning of May, Google introduced eight new top-level domains (TLD) available for purchase for websites and email addresses, including .zip. A top-level domain is the first stop after the root zone. Or, in other words, it is anything following the final period in a URL. In this case, think of .com, .edu, or .org. Recent observations of malicious use of the .zip TDL have raised concern among cybersecurity experts.

The concern involves the fact that the .zip domain looks similar to a popular file extension, .zip. The similarity to the popular file extension .zip means that messaging platforms and social media sites can convert file names with .zip extensions into URLs. This creates an issue because URLs are often used for downloading files, and with the introduction of the .zip domain, clicking the link can lead to malware downloads.

Malicious use of the .zip top-level domain is already active in the wild. In one instance, a phishing page disguised as a file with the domain “microsoft-office[.]zip” attempts to steal Microsoft Account credentials.

Example of phishing with the .zip Top-Level Domain

Theoretically, a threat actor can purchase a .zip domain with the same name as a commonly used filename, such as “update.zip.” Then, the attacker can deploy the .zip domain in a targeted phishing email. When clicked, it redirects an unsuspecting victim to a malware download instead of the update they intended to install.

How to Protect Against New .zip TDL Threats

At this time, the best way users can protect against this threat is through awareness. For this reason, experts recommend providing employees with security awareness training. Quality cyber awareness training programs entail simulated phishing campaigns that test employees with what could be real-life situations. Because these activities familiarize employees with realistic cyber threats, it’s an effective way to prevent cyber incidents within an organization.

Another option is to put a related security control in place. Experts highly recommended assessing the need for allowing access to .zip domains within your organization. For example, suppose your organization does not have a business need for accessing or using these new TLDs. In that case, they should be blocked at the Network Firewall, DNS, or Web Proxy level and allowlist domains as needed.

Cybersecurity threats are constantly evolving. This makes it vital to maintain awareness of the cyber landscape so you can take prompt and effective actions to secure your environment. If your organization needs assistance managing its cybersecurity, contact us today. We offer comprehensive managed cybersecurity services for small and medium-sized businesses to help them assess, strengthen, and actively defend their cyber posture.

Sources

https://www.blog.google/products/registry/8-new-top-level-domains-for-dads-grads-tech/mkt_tok=ODQwLU9TUS02NjEAAAGLzgeyuAmWchQ72Th00AAWHqcO-6BeDxzPbER8v16zgMiym4ZUeTNiEoFORxxhRKh4QN5IKfRGOlWV8_1TiIgUC5oX2ihUVAchzFWqNlCObiO5kwhttps://www.bleepingcomputer.com/news/security/new-zip-domains-spark-debate-among-cybersecurity-experts/Arctic Wolf Security Bulletin (email)