New .zip and .mov domains are a hacker's dream and a user’s nightmare


Cybersecurity experts fear that people are about to be tricked on a scale never before seen.

Few people think about what they type into a web browser, but the domain name system is an important backbone of the world wide web. Domain names are the things that keep us on the right path toward the websites users want to visit and are an easy way to signify what you’re looking for online.

There are up to 1,300 potential generic top-level domains (gTLDs) up for grabs at ICANN, the organization that controls the disbursement of domain name endings across the internet. They signal certain areas of the internet and are far more tailored than the traditional .com, .org, and .net domain name endings that we’re used to. We’ve seen some attain limited success: a mooted .xxx domain name ending, which was designed to try and signify the presence of adult content on a website, hasn’t done much on the web, while other jokey ones have had limited interest.

Which is why a recent announcement by Google, made earlier this month, has caused such concern.

Welcome .dad, .zip and .mov

The tech giant announced that it was bringing eight new gTLDs into the world. They included ones that are designed for a specific use, such as .dad, but also some with unusual connotations. Two endings in particular, .zip and .mov, were unusual because they share similarities with pre-existing file name endings.

ZIP files, as those who have been working with computers for a long time are probably aware, are compressed files that crunch data down into smaller sizes, making them easier to send online. And MOV files are some of the most popular forms of video on Apple computers. Because of this shared lineage, some cybersecurity experts have warned that Google has just provided a boon to hackers.

The risks of phishing have long been covered by outlets, including CyberNews. Phishing is a social engineering attack designed to trick a user into thinking they’re engaged with an official source or something on the internet when in fact, they’re looking at a nefarious website. Phishing often takes the form of spoof bank websites, which users are directed to by emails purporting to be from official organizations. Users are then encouraged to enter the kind of details they’d only share with a trusted authority, not with strangers.

The risks of .zip and .mov

Because these two new gTLDs share similarities with commonly encountered files, cybersecurity experts fear that they’re likely to be used to try and fool users in the same way that phishing emails are. You could receive a link to download a home movie file called “babysfirststeps.mov,” which is actually a link to a website using the .mov gTLD.

There, you could be presented with a spoofed download page that makes you think you’re downloading a video file. Instead, you're downloading malware directly to your computer.

The issue seems theoretical until you dig into the data. Cybersecurity analysts Netcraft looked at the first two weeks of domain name registrations on the two gTLDs experts are worried about. They found five phishing attacks on domains with names like microsoft-office.zip. As well as that, a number of other domain names that could be used to confuse users have been registered – although white hat hackers are fighting back.

Take bank-statement.zip, for example, which would be a gold mine for an attacker if they had obtained it. Luckily, someone else got there first, explaining that this could be an attack vector for criminals and linking users to resources designed to better protect them online. “We anticipate that .zip may rank highly on our list of top 50 TLDs with the highest cybercrime incidents to active sites ratio,” Netcraft said.

It therefore remains the responsibility of users to be certain that what they’re clicking on is legitimate. Adopting a low-trust approach to anything online is a good way to remain aware of the potential risks and to avoid falling foul of cyber attacks that can harm your reputation, your livelihood, and your personal data.