Googles .zip, .mov Domains Give Social Engineers a Shiny New Tool

Security professionals warn that Googles new top-level domains, .zip and .mov, pose social engineering risks while providing little reason for their existence.

Two new top-level domain names — .zip and .mov — have caused concern among security researchers, who say they allow for the construction of malicious URLs that even tech-savvy users are likely to miss.
Google announced the domains in early May, kicking off a slow buildup of criticism from the security community as people became aware of the issues. In a widely circulated
post on Medium
, security researcher Bobby Rauch pointed to two seemingly identical URLs that appear to go to the same place — downloading a zip file from a GitHub repository — but by using unicode slashes, an @ sign, and the .zip domain, a potentially malicious URL could instead redirect users to an attackers website.
While a top-level domain (TLD) that mimics a file extension is only one component in the lookalike attack, the overall combination is much more effective with the .zip or .mov extension, says Tim Helming, security evangelist at DomainTools, a provider of domain-related threat intelligence.
Theres no question that phishing links that involve these TLDs can be used to lure unsuspecting users into accidentally downloading malware, he says. Unlike other kinds of phishing URLs that are intended to lure the user to enter credentials into a phony login page, the lures with the .zip or .mov domains are more suited to drive-by download types of attacks.
In the three weeks since Google
announced the new domains
— along with .dad, .phd, and .foo — security researchers have pointed out the dangers of TLDs that match file extensions. On Tuesday, for example, Trend Micro became the latest security firm to warn users to fine-tune their ability to spot malicious links. In
the advisory
, the company pointed out that the
Vidar info-stealer
uses fake URLs to download a Zoom.zip file to the victims computer — and that the .zip domain will make the attack much more effective.
When reached for comment, a Google spokesperson noted that the Internet giant believes the opportunity to expand choice outweighs any of the potential security dangers.
We believe that website creators benefit from more choices in domain names, and that all users benefit from shorter, easier-to-remember URLs. Over 30 million domains have been registered in new gTLDs, and as ICANN’s report on
Competition, Consumer Trust and Consumer Choice
[PDF] found, many of these domains were registered even when the exact match for the full domain name was available in .com (for example, choosing json.foo even when jsonfoo.com was available).
The spokesperson also responded to the GitHub .zip example, noting that the risk of confusion between domain names and file names is not a new one, and that applications have mitigations for this — such as Google Safe Browsing.
Examples like Github actually demonstrate how pervasive these types of collision already are—.py, .cc and .md are examples of common file extensions on Github that are also TLD extensions. Browsers already provide significant protection against accidentally navigating to the wrong website in these contexts, and this will remain the case with .zip, the spokesperson said.
Whether the new domains will make phishing better
is still a question
for some, but the risk of making more effective links seems to outweigh any benefit of the domains, says Erich Kron, security awareness advocate at phishing and security education firm KnowBe4.
Its the why are we doing this? that kind of gets me, and frankly, its just a bad idea, right? he says. Bad actors have been using .zip files and compressed files to get people to download malware for eons, and then to make a top-level domain that the general public is going to associate with [legitimate files] ... we are really opening the doors to some some very easy trickery here.
The domain names have already led to some mistakes, and not just on the part of humans. Some tools, such as Googles own malware identification service VirusTotal, are confusing filenames with the .zip extension with URLs with the .zip TLD, according to Johannes Ullrich, dean of research for education organization SANS Technology Institute. Ullrich is in the process of
surveying existing .zip domains
to see which are malicious.
He has found that evidence of in-the-wild campaigns is scant so far. This opens up new avenues for more convincing phishing attacks, Ullrich said, with a caveat: However, there are already many ways to create convincing phishing attacks, so the risk is more incremental.
The good news is that attackers have not yet picked up the technique en masse for real-world attacks, Trend Micro stated in its advisory.
As of today, Trend Micro has not yet received URLs related to these new TLDs from internal and customer cases, the company stated. However, we will continue to monitor any related URLs we come across and block them as needed in preparation for potential phishing campaigns.
At this point, the biggest attack so far involves
rickrolling
and parked domains, Ullrich says: At least 48 domains have been registered by people who then posted a video of singer Rick Astley and his song, Never Gonna Give You Up.
The creation of file-extension-lookalike domain names will likely lead Google and other browser makers to adopt warnings in their software, alerting users when a domain uses special unicode characters — such as two characters that appear to be slashes (/) — and which could be confused for legitimate URLs.
However, much will still rely on users, who should be careful about checking links, and companies, which can restrict new domain names until cybersecurity providers can assign them a reputation, DomainTools Helming says.
There are ways for very savvy users to spot these file paths visually, he adds, but the most effective defenses are going to be a combination of efforts that include security control detections for things like those characters, risk scoring for newly created domains — in any TLD — and updated user awareness training.
With reporting by Jaikumar Vijayan

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Googles .zip, .mov Domains Give Social Engineers a Shiny New Tool