Google recently introduced eight new top-level domains (TLDs) that can be purchased for hosting websites or email addresses. Popular TLDs include .com, .io, .net, .gov, etc. Among the new TLDs are .zip and .mov, which are raising cybersecurity concerns because they’re also a common way to denote file extensions. Here’s what you need to know.
Now broadly available, the zip and .mov TLDs may pose a security risk because they are also common file extensions frequently shared in online discussions (.zip is the file extension for “zipped” or compressed files, and .mov is the file extension for Apple’s video format). Some platforms can now automatically convert these into URLs, which threat actors can potentially exploit for phishing attacks or malware delivery.
These concerns are not merely theoretical. Reports have emerged of real-world examples where these domains are being used maliciously. Nuspire has also detected instances of such abuse in our threat hunting activities. Threat actors could purchase a .zip domain matching a commonly-used filename to turn a seemingly innocent filename into a phishing or malware delivery vector.
While the likelihood of mass adoption of this technique by threat actors is low, the damage from even one successful breach can be substantial.
Nuspire actively threat hunts client environments for indications of compromise and suspicious activity involving .zip and .mov domains.
Given these recent developments, Nuspire recommends taking the following precautions:
It’s worth noting that these concerns highlight the importance of robust cybersecurity practices and ongoing threat awareness. As a standard practice, users should be cautious about clicking on links from untrusted sources or downloading files from suspicious sites. The presence of these new TLDs only underlines the importance of these safeguards.