Emerging Trend: Malicious Use of New Google Domains .zip and .mov

Google recently introduced eight new top-level domains (TLDs) that can be purchased for hosting websites or email addresses. Popular TLDs include .com, .io, .net, .gov, etc. Among the new TLDs are .zip and .mov, which are raising cybersecurity concerns because they’re also a common way to denote file extensions. Here’s what you need to know.

New Google TLDs .zip and .mov a cause for concern

Now broadly available, the zip and .mov TLDs may pose a security risk because they are also common file extensions frequently shared in online discussions (.zip is the file extension for “zipped” or compressed files, and .mov is the file extension for Apple’s video format). Some platforms can now automatically convert these into URLs, which threat actors can potentially exploit for phishing attacks or malware delivery.

These concerns are not merely theoretical. Reports have emerged of real-world examples where these domains are being used maliciously. Nuspire has also detected instances of such abuse in our threat hunting activities. Threat actors could purchase a .zip domain matching a commonly-used filename to turn a seemingly innocent filename into a phishing or malware delivery vector.

While the likelihood of mass adoption of this technique by threat actors is low, the damage from even one successful breach can be substantial.

What is Nuspire doing?

Nuspire actively threat hunts client environments for indications of compromise and suspicious activity involving .zip and .mov domains.

What should I do?

Given these recent developments, Nuspire recommends taking the following precautions:

• Awareness and education: Users should be informed of this potential security risk. Make them aware that filenames ending in .zip or .mov could now potentially be links to websites instead of the expected files.
• Validation of URLs: Encourage employees to validate the URL before clicking on any link, especially those ending in .zip or .mov.
• Enhanced monitoring: We suggest companies increase their vigilance and closely monitor any activity related to .zip and .mov domains.
• Apply additional security layers: Utilize advanced threat protection solutions to mitigate potential security risks arising from these domains.
• Report suspicious activities: Establish a clear process for employees to report any suspicious URLs or activities.
• Consider blocking: Determine the business impact if your organization blocks .zip and .mov domains within your web application firewall. If acceptable, block the TLDs completely to prevent access.

It’s worth noting that these concerns highlight the importance of robust cybersecurity practices and ongoing threat awareness. As a standard practice, users should be cautious about clicking on links from untrusted sources or downloading files from suspicious sites. The presence of these new TLDs only underlines the importance of these safeguards.