Google’s New Domains: A Security Risk?

In early May, Google unveiled eight new top-level domains (TLDs), expanding the options for website addresses. While some of these TLDs brought light-hearted offerings, such as “.dad” and “.nexus,” two domains stood out for their potential to invite online scams and phishing attacks: “.zip” and “.mov.” These domains share names with common file extensions, raising concerns about the increased possibilities for digital fraud.

In this blog I highlight the implications of Google’s decision to introduce these TLDs and explore differing opinions on the associated risks.

The Potential for Scams and Phishing

The uniqueness of “.zip” and “.mov” as TLDs lies in their association with common file formats. “.zip” is widely recognized as a file compression format, while “.mov” is a video format developed by Apple. The worry is that URLs resembling file names could deceive web users into clicking on malicious links disguised as legitimate content. Additionally, these domains could exacerbate the problem of software automatically adding links to file names, mistaking them for URLs. Consequently, scammers could strategically acquire “.zip” and “.mov” URLs matching common file names, enabling any online reference to these files to automatically link to a malicious website.

The Current Landscape

Phishing researcher Ronnie Tokazowski highlights that attackers will exploit any opportunity to breach organizations, emphasizing the persistence of this threat over time. Researchers have already observed malicious actors purchasing strategic “.zip” URLs and testing them in phishing campaigns. However, opinions on the negative impact of these domains vary. Critics argue that phishing attacks that exploit URL confusion are already prevalent, rendering the addition of “.zip” and “.mov” domains of negligible consequence. They assert that existing anti-phishing measures, such as proxies and traffic management tools, will incorporate these new TLDs into their defenses.

Google’s Response and Mitigations

Google, in response to concerns, stated that the risk of confusion between domain names and file names is not a new one, offering examples like 3M’s use of the domain name “command.com,” which shared its name with a crucial program on MS DOS and early versions of Windows. The company assures users that existing mitigations, such as Google Safe Browsing, will apply to TLDs like “.zip.” Google Registry also incorporates mechanisms to suspend or remove malicious domains across all its TLDs. The company pledges ongoing monitoring of the usage of “.zip” and other TLDs, ready to take appropriate action to protect users if new threats emerge.

Broader Implications and Criticisms

Expanding the range of TLDs provides users with more options, reducing the need to pay premiums for desired domain names owned by others. Some security experts argue that given the extensive risk of phishing attacks, the introduction of TLDs like “.zip” and “.mov” adds only marginal additional danger. However, others contend that a company like Google, known for investing heavily in anti-scam and anti-phishing efforts, could have chosen not to offer these particular TLDs. They criticise the potential usability and security issues posed by these domains and suggest Google’s decision may be primarily motivated by financial considerations.

What Can Organizations Do?

• Be cautious and vigilant when encountering .zip and .mov URLs, as they can be used by hackers for phishing attacks.
• Before clicking on any .zip or .mov link, carefully examine and verify its authenticity.
• Exercise caution when encountering URLs that contain well-known brand names, as they can still be deceptive.
• Be wary of attachments and links received via messages or emails, especially those that prompt you to provide sensitive information.
• Utilize reputable and free tools to verify the legitimacy of URLs before interacting with them. Virus total, URL Scan.
• Domain Filtering and Firewall Rules: Organizations can implement domain filtering mechanisms and firewall rules to block or restrict access to certain TLDs, including “.zip” and “.mov.” This can prevent users from accessing potentially malicious websites using these domains.
• Google Safe Browsing and Security Services: Google’s Safe Browsing service and similar security services offered by other providers can help protect users from visiting malicious websites, including those hosted on the newly introduced TLDs. These services maintain lists of known dangerous websites and block access to them.

Agree, disagree or have an view on this? Please leave a comment.