The Unseen Cyber Threat: The New .mov and .zip Domains

In May, Google introduced eight new top-level domains (TLDs), a move that has sparked an intense debate amongst cyber security experts. Top-level domains, or TLDs, are the suffixes at the end off a URL, such as “.com”, “.co.uk”, “.net”, “.uk” and many others. TLDs were conceived decades ago with the objective of organising and expanding the universe of URLs. Google’s latest expansion includes playful options like “.dad” and “.nexus,” but the launch also included two TLDs that have alarmed many in the cyber security field: “.zip” and “.mov”.

The focus of the concern among cyber security experts stems from these two new TLDs doubling as common file extension names. The “.zip” extension, a staple for data compression, and “.mov”, a video format used by Apple for video files, both of these file format extensions are widely used and recognised within the technology industry among users of all experience levels. Observers fear that these URLs, which mimic file names, could provide a new avenue for cyber criminals to execute phishing scams and other online fraud.

For example: Cyber Criminals purchase .zip and .mov URLs that replicate common file names, such as “summerholiday23.mov” or “confidential-information.zip”. This could potentially cause a reference to a file with that name to automatically link to a malicious website, tricking users into clicking on these deceptive links, downloading malicious files or inputting login information to steal their data.

Another example of this is that URL’s could be made to simulate a common url and by adding an @ within the URL:
https://www.one2call.net/news/story/@newsaricle.zip

Gets treated as the url:
newsarticle.zip

And anything before this is treated as a username.

Although many experts are voicing concerns about these developments, the sentiments are not universally shared. Some argue that the existing dangers of phishing attacks are so pervasive that the addition of .zip and .mov domains won’t significantly alter the risk landscape. In a statement to WIRED, Google pointed out that the risk of confusion between domain names and file names is not a novelty. The tech giant already has mechanisms in place through Google Registry to suspend or remove malicious domains across all of the company’s top-level domains. They affirmed their commitment to monitoring the usage of .zip and other TLDs, promising to take appropriate action to protect users if new threats emerge.

However, not everyone shares this optimistic outlook. Critics argue that the overlap between the two extremely popular file formats and the newly registered web domains could introduce fresh security threats to the internet ecosystem. Cyber Criminals now have novel, “creative” tools at their disposal to orchestrate malware installations, phishing campaigns, and other malevolent activities. The advent of .zip and .mov as universally approved TLDs means that internet services and mobile apps are virtually compelled to treat text snippets such as “test.zip” or “test.mov” as legitimate URLs to open in a web browser. This development, coupled with the growing trend of cyber criminals exploiting the new TLDs, underscores the potential hazards that these domains pose to cybersecurity.

Despite the ongoing debate amongst security experts, the advent of these new TLDs signals a changing landscape in the world of internet security. Whilst some are sceptical of the perceived threats, others (including ourselves) caution that these new domains could provide cyber criminals with powerful tools for deception. As the digital world continues to evolve, the importance of staying ahead of the curve in cyber security cannot be overstated. We strive to provide all of our customers (and anyone else who wants to stay up to date with the latest changes in the Cyber Security space) with the most up to date information to ensure that they are aware of evolving threats.

How can your business protect from these evolving Cyber Security threats posed by the new “.zip” & “.mov” TLDs? Our Active Email Threat Protection monitors all links received in email to ensure of their legitimacy, it can check for (and block) the use of these new TLDs in hyperlinks you are sent as well as the use of the @ username delimiter within the URL. If you would like to find out more about Active Email Threat Protection, click the link below to find out more.

Latest News Stories