On May 3, Google Registry launched eight new “parent, graduate and technical” top-level domains (TLDs), including a .zip TLD. While these new TLDs come with benefits like automatic HSTS preload listing, the launch of new TLDs has always provided an opportunity for cybercriminals to register domains in bad faith.
Parts of the security community, such as SANS ISC, have already identified the potential for fraud through the potential combination of a universally known (.zip) file extension with a TLD. The overlap of TLDs with file extensions is not a new problem: .com is also an executable format, .pl represents Polish and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.
Earlier this week, we investigated existing registrations with the .zip TLD and confirmed that there is already evidence of fraudulent activity.
.zip domains as phishing lures
At the time of writing, there are less than 5,000 registered domains using .zip. 2,253 of these have an A record, pointing to 838 different IP addresses. We have discovered phishing attacks on five of these domains so far, none of which are still active at the time of writing.
Domain Targeted Brand Report 2023[.]zip Microsoft microsoft-office[.]zip Microsoft microsoft-office365[.]compress emails from microsoft[.]zip Google login.payment status[.]zip Okta
report2023[.]zip was probably a threat actor’s “proof of concept”. The site, which mimics a Microsoft login screen, says ‘THIS IS FOR TESTING’.
![Login panel shown in report2023[.]zipper](https://news.netcraft.com/images/2023/05/this-is-for-testing.png)
Login panel shown in report2023[.]zipper
microsoft office[.]zip initially said ‘This is not a Microsoft page’ when we first saw it on May 13 (around 8:50am GMT). This text was removed when we rescanned the page an hour later.
![Login panels displayed in microsoft-office[.]zipper](https://news.netcraft.com/images/2023/05/this-is-not-a-microsoft-page.png)
Login panels displayed in microsoft-office[.]zipper
All of these attacks used different hosting providers and were registered with different registrars, suggesting that different threat actors were behind them. We notify Google Registry as part of our removal process for some of these domains; these domains are now no longer resolved.
Other suspicious .zip activity
There are many registered domains that are likely to be bad faith registrations, even though they currently show no malicious content. These include:
domains that contain well-known brand names, such as several dozen domains that contain the word ‘Microsoft’, including microsoft[.]zip, microsoft-windows update[.]zipper, microsoft teams[.]zip, microsoftedge setup[.]zip, microsoft installer[.]zipper. 200 domains mentioning ‘installer’ or ‘update’, including chromeupdatex64[.]zip, browser update[.]zip, firefox installer[.]zip, driver update[.]zip, discord updated[.]zip, urgent update[.]zip, zoom-installer[.]zip, winrar-installer[.]zipper. various domains that mention banks by name, such as bankofamericasecurities[.]zipper. several that could plausibly be used in emails in which a victim expects to download a file, but it is linked to the domain instead (payment statements[.]zip code, pay stub[.]postcard photos[.]zipper attachment[.]zipper). eicar[.]zip has been registered but currently has no A records. The EICAR test file is a benign file that is typically used to test antivirus software. Less than 50 .zip domains contained in or redirected to a .zip file. Of these, at least two were zip bombs, which are often deployed to disable antivirus software.
altruistic .zip records
We also detected a number of domains that were registered to raise awareness of how the .zip TLD could be used for fraud. An example of this is the bank statement[.]zip, which displays the following.
![Security notice displayed on bank statement[.]zipper](https://news.netcraft.com/images/2023/05/bank-statement.png)
Security notice displayed on bank statement[.]zipper
Other examples, such as financial statements[.]zip, are more direct in expressing their concerns:
![Security concerns shown on the financial statement[.]zipper](https://news.netcraft.com/images/2023/05/financial-statement.png)
Security concerns shown on the financial statement[.]zipper
There are also a handful of other domains that don’t currently display explicit “awareness” content, but are likely motivated by the same concerns. These include domains like notransomware[.]zip, not phishing[.]zip, and it is absolutely not a virus[.]zipper.
Other things detected using the TLD .zip
While we anticipate that .zip may rank high on our list of the top 50 TLDs with the highest ratio of cybercrime incidents to active sites, it’s not just fraud that we found using the TLD during our investigations. We also saw:
71 domains redirected to YouTube videos, of which 48 are a Rickroll. a domain that redirects to a zip file containing the TSA “No Fly” list that was leaked earlier this year. a link shortener. various sites that are used to offer services associated with file compression, such as a site for compressing files and another for producing compressed YouTube thumbnails.
Finally, there are approximately 600 domains registered using .mov, which is another new TLD that is also a well-recognized file extension. We have conducted an analysis of these and, at the time of writing, have not identified any fraud.
How can Netcraft help?
Our position at the epicenter of the battle against cybercrime allows us to quickly identify, monitor and react to new threats, such as those identified in this publication. We continue to monitor malicious content in .zip and other new TLDs. The Netcraft browser extension and mobile apps block the .zip threats described in this post and will block new threats as we discover them.
Netcraft is the world leader in detecting, disrupting and taking down cybercrime, and has been protecting online businesses since 1996. We help organizations around the world (including 12 of the top 50 global banks) and take down around of a third of the world’s phishing attacks. eliminating more than 90 types of attack at the rate of 1 attack every 15 seconds. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activity.
We offer solutions for domain registries and domain registrars, including real-time alerts or removal of fraudulent content found in your TLD/infrastructure and a tool to analyze the likelihood of a new domain name being deceptive and used for fraud.