Zip domains, a bad idea nobody asked for
If you heard a strange and unfamiliar creaking noise on May 3, it may have been the simultaneous rolling of a million eyeballs. The synchronised ocular rotation was the less than warm welcome that parts of the IT and security industriesâthis author includedâgave to Googleâs decision to put .zip domains on sale.
Google Registry actually announced eight new top-level domains (TLDs) that day: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus, but it was dot zip and dot mov that had security eyeballs looking skywards, because of their obvious similarity to the extremely popular and long-lived .zip and .mov file extensions.
TLDs are the letters that come after the dot at the end of the domain name in an Internet address, like example.com, example.org, and example.zip.
File extensions are the three letters that came after the dot at the end of a file name, like example.docx, example.ppt, and example.zip.
You see the problem?
Domain names and filenames are not the same thing, not even close, but both of them play an important role in modern cyberattacks, and correctly identifying them has formed part of lots of basic security advice for a long, long time.
The TLD is supposed to act as a sort of indicator for the type of site youâre visiting. Dot com was supposed to indicate that a site was commercial, and dot org was originally meant for non-profit organizations. Despite the fact that both dot com and dot org have been around since 1985, itâs my experience that most people are oblivious to this idea. Against that indifference, it seems laughable that dot zip will ever come to indicate that a site is âzippyâ or fast, as Google intends.
When youâre offering services where speed is of the essence, a .zip URL lets your audience know that youâre fast, efficient, and ready to move.
Meanwhile, plenty of users already have a clear idea that .zip means something completely different. Since the very beginning, files on Windows computers have used an icon, and a filename ending in a dot followed by three letters to indicate what kind of file youâre dealing with. If the three letters after the dot spell z-i-p, then that indicates an archive full of compressedââzipped upââfiles. The icon even includes a picture of a zipper on it (because reinforcement is good, and confusion is bad.)
As it happens, cybercriminals love .zip files and the last couple of years has seen an explosion in their use as malicious email attachments. Typically, the zip file is first in a sequence of files known as an âattack chainâ. In a short chain, the zip file might simply contain something bad. In a longer chain it might contain something that links to something bad, or contain something that contains something that links to something bad, or contain something that links to something that contains something that links to something bad. You get the idea.
The key to it all is misdirection. The attack chain is there to confuse (thereâs that word again) and mislead users and security software.
Criminals use other forms of misdirection in file extensions too. An old favourite is giving malicious files two files extensions, like evil.zip.exe. The first one, .zip in this case, is there to fool you. The second is the real one: A dangerous executable type, .exe in this example. Given a choice of two, users have to decide which one to believe. Most arenât even faced with that choice though. Hilariousy, Windows helps the subterfuge along by hiding the second file extension, the one you really should be paying attention to, by default.
Domain names get the same treatment. Criminals make extensive use of open redirects for exampleâweb pages that will redirect you anywhere you want to goâto make it look as if their malicious URLs are actually links to Google, Twitter or other respectable sites. Less sophisticated criminals just throw words like âpaypalâ, or anything else you might recognise, into the link and hope youâll notice that bit and ignore the rest.
Against that backdrop, Google inexplicably decided to introduce something that will generate no useful revenue but will give cybercrooks an entirely new form of file and domain name misdirection, to add to all the others weâre still wrestling with.
What could criminals do with this new toy? There is no better example than that provided by security researcher Bobby Rauch, in his excellent article The Dangers of Googleâs .zip TLD. In it, Rauch challenges readers to identify which of the following two URLs âis a malicious phish that drops evil.exe?â
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip https://github.comâkubernetesâkubernetesâarchiveârefsâtagsâ@v1.27.1.zip
Itâs the bottom one.
The top one would open a zip file called v1.27.1.zip from the github.com domain. The second would go to the domain v1.27.1.zip, which in this hypothetical example triggers the download of the evil.exe file.
If you figured it out, well done, but remember you knew that one of them was bad. Would you have spotted it if you hadnât been forewarned? And if you didnât spot it, donât feel bad, thatâs the whole point. Itâs hard to read URLs even if you know youâre looking for something out of place.
Of course, the invention of dot zip domains didnât suddenly make URLs hard to read, they were already, but thatâs no excuse.
Google does an awful lot of really good stuff for computer security, for which it deserves enormous credit, and this is a small and uncharacteristic misstep. The search giant was under absolutely no pressure to create a dot zip TLD and it hardly seems destinted to become a major income stream.
Dot zip domains are not yet a serious problem. At the time of writing, a little fewer than 4,000 have been registered, some of which were almost certainly bought by security researchers wanting to demonstrate what a bad idea they are, or to deprive criminals of some of the more dangerous names.
Criminals may yet decide they donât need the built-in confusion of the dot zip domain (or at least, not today). They already have a wholebag of tricks that work very well and if a new one doesnât make their life easier or richer, they wonât use it.
It is also possible that dot zip will simply die on the vine if enough companies choose to block it. Last week, Citizen Labâs John Scott-Railton urged his nearly 200,000 Twitter followers to simply âblock it allâ, saying âThe chance that new .zip and .mov domains mostly get used for malware attacks is 100%.â
Itâs for you and your organisation to decide if you should block it, but I will point out that if you are going to, the best time to do it is now: Almost nobody is currently using it, and nobody is going to use in future if itâs routinely blocked.
