You’re likely familiar with ZIP archives, which allow you to compress multiple files into one to save space and make transferring them easier. But as of 2023, .zip is now a valid ending for websites online as well.
While a minor change in the grand scheme, this has implications for security you should be aware of. Let’s review how this could present additional threats online.
Top-Level Domains Explained
To understand this issue, it’s important to know a bit about how URLs work when you visit a website. In a URL like “next7it.com”, the final part (including the period) is called the top-level domain (TLD).
These help classify the purpose of the domain (a domain name simply being another name for a website) and are part of identifying a site as a unique entity on the internet. .com (standing for “commercial”) is the most popular, but there are plenty of others—such as .net, .gov, and .edu. There are also TLDs for countries, like .jp for Japan or .es for Spain.
While most are rare, you’d be surprised how many valid top-level domains there are; some odd ones include .pro, .center, and .buzz.
In May 2023, Google introduced several new top-level domains, including .dad, .phd, and .foo. Most of these are innocuous, but there are two in particular that pose potential issues: .zip and .mov.
File Extensions and Invalid Domains
You might recognize .zip and .mov because they are both computer file extensions. Files on your PC end in an extension so you know what they are and your PC knows what program to open them with. For example, .mp3 files are audio and .docx files are Word documents.
Until this change, .zip was only used for compressed file archives, while .mov referred to a video format created by Apple. The trouble with these file extensions now also acting as web domains is that many apps create automatic links when you type text in the “abc.xyz” web link format. For instance, if you type “example.com” in a messaging app or blog post, it may automatically convert to a clickable link.
This is convenient—unless you don’t intend for what you type to be a link. It’s easy to do this by mistake with a typo like “there.Iam”. These are harmless when they aren’t valid web domains, but Google has now created more opportunities for people to trick others into visiting phony pages.
The Trouble With Google’s New Top-Level Domains
Now that we’ve explored the background, it’s clear how these new web domains could pose a security risk. Imagine sending a message like this to a colleague or loved one:
Download the update.zip file and extract that to upgrade to the latest version of the app
While you meant to specify the name of the “update.zip” file, this is also now a valid web domain. Thus, your messaging app will turn it into a link the other person can click. And when they do, it won’t take them to the file in question—it will take them to that website.
You can see this with a real example like financialstatement.zip. Clicking this brings you to a website registered to bring attention to the problems with these new TLDs. Other educational examples like bank-statement.zip have also arisen.
In an ideal case, the site won’t be registered, and whoever clicks it will see an error page. But scammers can easily use common terms like “update.zip”, “backup.zip”, and “attachment.zip” to create phishing websites with a wide potential victim base. Anyone who clicked one of these links would unknowingly go to a fake website, where they’d be prompted to hand over account credentials or similar.
Staying Safe Against New Threats
While these new links present a possible fresh method of attack for malicious people online, they thankfully aren’t much different from existing fake URL attacks. The same tips for staying safe from dangerous websites apply.
You should never trust a URL sent to you in a message or email—it’s always safer to visit the website directly. Be wary of any URLs ending in .zip or .mov—while these are uncommon now, they may become more popular in the future.
While IT administrators could block all domains that end with .zip or .mov, this may be overkill depending on the situation. It’s more sensible to educate people about possible scams and how to spot shady URLs. Using tools like DNSFilter, included in our Managed IT Services, to block phishing and newly registered domains can help reduce the chances of going to a malicious site. We also configure FortiGate and other firewalls to provide a similar level of web filtering protection for redundancy.
It’s neat to have more TLDs available, but this also introduces yet another potential point of confusion to trick people. If you haven’t already, you should consider using passkeys to avoid many of the common pitfalls of passwords.