Zip domains, a bad idea nobody asked for

If you heard a strange and unfamiliar creaking noise on May 3, it may have been the simultaneous rolling of a million eyeballs. The synchronised ocular rotation was the less than warm welcome that parts of the IT and security industries—this author included—gave to Google’s decision to put .zip domains on sale.

Google Registry actually announced eight new top-level domains (TLDs) that day: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus, but it was dot zip and dot mov that had security eyeballs looking skywards, because of their obvious similarity to the extremely popular and long-lived .zip and .mov file extensions.

TLDs are the letters that come after the dot at the end of the domain name in an Internet address, like example.com, example.org, and example.zip.

File extensions are the three letters that came after the dot at the end of a file name, like example.docx, example.ppt, and example.zip.

You see the problem?

Domain names and filenames are not the same thing, not even close, but both of them play an important role in modern cyberattacks, and correctly identifying them has formed part of lots of basic security advice for a long, long time.

The TLD is supposed to act as a sort of indicator for the type of site you’re visiting. Dot com was supposed to indicate that a site was commercial, and dot org was originally meant for non-profit organizations. Despite the fact that both dot com and dot org have been around since 1985, it’s my experience that most people are oblivious to this idea. Against that indifference, it seems laughable that dot zip will ever come to indicate that a site is “zippy” or fast, as Google intends.

When you’re offering services where speed is of the essence, a .zip URL lets your audience know that you’re fast, efficient, and ready to move.

Meanwhile, plenty of users already have a clear idea that .zip means something completely different. Since the very beginning, files on Windows computers have used an icon, and a filename ending in a dot followed by three letters to indicate what kind of file you’re dealing with. If the three letters after the dot spell z-i-p, then that indicates an archive full of compressed—”zipped up”—files. The icon even includes a picture of a zipper on it (because reinforcement is good, and confusion is bad.)

As it happens, cybercriminals love .zip files and the last couple of years has seen an explosion in their use as malicious email attachments. Typically, the zip file is first in a sequence of files known as an “attack chain”. In a short chain, the zip file might simply contain something bad. In a longer chain it might contain something that links to something bad, or contain something that contains something that links to something bad, or contain something that links to something that contains something that links to something bad. You get the idea.

The key to it all is misdirection. The attack chain is there to confuse (there’s that word again) and mislead users and security software.

Criminals use other forms of misdirection in file extensions too. An old favourite is giving malicious files two files extensions, like evil.zip.exe. The first one, .zip in this case, is there to fool you. The second is the real one: A dangerous executable type, .exe in this example. Given a choice of two, users have to decide which one to believe. Most aren’t even faced with that choice though. Hilariousy, Windows helps the subterfuge along by hiding the second file extension, the one you really should be paying attention to, by default.

Domain names get the same treatment. Criminals make extensive use of open redirects for example—web pages that will redirect you anywhere you want to go—to make it look as if their malicious URLs are actually links to Google, Twitter or other respectable sites. Less sophisticated criminals just throw words like “paypal”, or anything else you might recognise, into the link and hope you’ll notice that bit and ignore the rest.

Against that backdrop, Google inexplicably decided to introduce something that will generate no useful revenue but will give cybercrooks an entirely new form of file and domain name misdirection, to add to all the others we’re still wrestling with.

What could criminals do with this new toy? There is no better example than that provided by security researcher Bobby Rauch, in his excellent article The Dangers of Google’s .zip TLD. In it, Rauch challenges readers to identify which of the following two URLs “is a malicious phish that drops evil.exe?”

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1.27.1.zip

It’s the bottom one.

The top one would open a zip file called v1.27.1.zip from the github.com domain. The second would go to the domain v1.27.1.zip, which in this hypothetical example triggers the download of the evil.exe file.

If you figured it out, well done, but remember you knew that one of them was bad. Would you have spotted it if you hadn’t been forewarned? And if you didn’t spot it, don’t feel bad, that’s the whole point. It’s hard to read URLs even if you know you’re looking for something out of place.

Of course, the invention of dot zip domains didn’t suddenly make URLs hard to read, they were already, but that’s no excuse.

Google does an awful lot of really good stuff for computer security, for which it deserves enormous credit, and this is a small and uncharacteristic misstep. The search giant was under absolutely no pressure to create a dot zip TLD and it hardly seems destinted to become a major income stream.

Dot zip domains are not yet a serious problem. At the time of writing, a little fewer than 4,000 have been registered, some of which were almost certainly bought by security researchers wanting to demonstrate what a bad idea they are, or to deprive criminals of some of the more dangerous names.

Criminals may yet decide they don’t need the built-in confusion of the dot zip domain (or at least, not today). They already have a wholebag of tricks that work very well and if a new one doesn’t make their life easier or richer, they won’t use it.

It is also possible that dot zip will simply die on the vine if enough companies choose to block it. Last week, Citizen Lab’s John Scott-Railton urged his nearly 200,000 Twitter followers to simply “block it all“, saying “The chance that new .zip and .mov domains mostly get used for malware attacks is 100%.”

It’s for you and your organisation to decide if you should block it, but I will point out that if you are going to, the best time to do it is now: Almost nobody is currently using it, and nobody is going to use in future if it’s routinely blocked.