.zip and .mov domain names – A boon for cybercriminals

Since May 10, 2023, the .zip and .mov domain names have been open to everyone. In fact, Google has acquired these domain name extensions.

However, these domain names are reminiscent of  the file extensions .zip and .mov. This similarity will be heavily exploited by cybercriminals, as we’ll see in this article.

Domain names

A domain name is a reworked IP address, the identifier and Internet address of a website.

A domain name is made up of 4 elements which are:

• Prefix
• Subdomain
• Domain
• Extension or TLD

Today, there are many well-known domain name extensions, including :

• .com for commercial sites
• .org for organizations
• .net
• .io, often used for technology companies

Domain name registrars can obtain extensions from ICANN (“Internet Corporation for Assigned Names and Numbers”), an Internet regulatory authority.

In this way, Google has become a domain name registrar, and customers (individuals, companies, etc.) can purchase a domain name with an extension belonging to Google, such as .app.

Google and the purchase of .zip and .mov domain names

In April 2023, Google announced the launch of 8 new extensions.

They will remain reserved until mid-May 2023 for owners of trademarks registered with the TMCH (Trademark Clearinghouse), known as the Sunrise period.

The “TMCH”, a global database created by ICANN, consists of allowing brand owners to reserve their domain names as a priority in new internet extensions.

In May 2023, these new domain name extensions become open to all.

Here are the 8 new domain names available:

• .foo: extension targeting developers
• .nexus
• .dad
• .phd: extension which targets doctoral students, PhD meaning Philosophiæ doctor, and designating the doctoral diploma
• .esq: extension which refers to esquire, this is a courtesy title given to a lawyer
• .prof: extension echoing the teaching staff
• .mov: ideal extension for animated images
• .zip

The problem with .zip and .mov domain names

In these 8 new domain names, two are causing problems:

• .zip
• .mov

By June 2023, no fewer than 2,550 domain names ending in .mov had been registered, and 13,100 domain names ending in .zip.

The problem with these domain name extensions is that they are also file name extensions.

A file ending in .mov corresponds to a file extension compatible with QuickTime, an old multimedia framework developed by Apple.

Files ending in .zip are better known. This is a format for compressing files or folders.

A web surfer can therefore inadvertently confuse a file extension ending in .zip with a domain name extension ending in .zip.

And it is in these cases that cybercriminals will act.

The use of .zip and .mov domain names by cybercriminals

The criminals did not wait to grab malicious domain names that could scam Internet users.

Here is a long list of new domain names, and you can quickly realize that many of them will be used to trap people and scam them.

paypal.zip

Just imagine, you receive an email from “Paypal”, asking you to download a .zip file.

When you click on it, it is not a file that downloads but an internet window that opens containing malware, you have fallen into the trap of cybercriminals.

Well, this has already happened despite the rather short presence of these domain name extensions in the market.

A Chinese third party, not belonging to Paypal, purchased from Dan, a platform marketing domain names, “paypal.zip”.

This same third party also purchased “github.zip” and “openai.zip”.

familyphotos.zip

Below is what a user received in their mailbox.

The familyphotos.zip “attachment” is actually a link to a website containing a virus.

Elderly or non-vigilant people can easily be fooled by this type of scheme.

microsoft-office.zip

Analysts at Netcraft discovered that a domain name called “microsoft-office.zip” was purchased and used in phishing campaigns.

Concretely, cybercriminals sent emails pretending to be Microsoft and encouraging victims to “download” the new version of Microsoft Office via a .zip file.

But in reality, the targets were not going to download the Office suite but had opened a web page containing Malware contaminating their computer.

Google’s response to .zip and .mov domain name extensions

Contacted by BleepingComputer, Google addressed the concerns: “Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip.  We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users.“.

Some cyber experts consider that the risk is minimal, others consider that the risk is very real.

It remains that no less than 1,200 .zip and .mov domain names were registered in the first two weeks of marketing of these extensions.

Protect yourself against this type of cyberattack

This kind of attack can be avoided. The victims of these attacks are usually :

• Relatively unfamiliar with the Internet
• Not paying attention

That’s why it’s vital to provide training in cybersecurity risks.

For professionals, we recommend carrying out a personalized phishing campaign in order to test and test employees.

A fictitious personalized phishing campaign raises awareness of computer security, so that employees are less likely to fall victim to this type of ploy, and more likely to be suspicious.