Phishing attacks already using the .zip TLD

On May 3rd, Google Registry launched eight new top-level domains (TLDs) “for dads, grads and techies”, including a .zip TLD. While these new TLDs come with benefits such as automatic inclusion on the HSTS preload list, the launch of new TLDs has always presented cyber criminals with the opportunity to register domains in bad faith.

Parts of the security community, such as the SANS ISC, have already identified the potential for fraud via the potential conflation of a universally known file extension (.zip) with a TLD. TLDs overlapping with file extensions is not a new problem: .com is also an executable format, .pl represents both Poland and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.

Earlier this week, we investigated existing registrations using the .zip TLD and confirmed that there is already evidence of fraudulent activity.

.zip domains as phishing lures

At the time of writing, there are fewer than 5,000 registered domains using .zip. 2,253 of these have an A record, pointing to 838 distinct IP addresses. We have discovered phishing attacks on five of these domains so far, none of which are still live at the time of writing.

Domain Targeted brand
report2023[.]zip Microsoft
microsoft-office[.]zip Microsoft
microsoft-office365[.]zip Microsoft
e-mails[.]zip Google
login.payment-statement[.]zip Okta

report2023[.]zip was probably a threat actor’s ‘proof of concept’. The site, which mimics a Microsoft login screen, states ‘THIS IS FOR TESTING’.

Sign-in panel displayed on report2023[.]zip

Sign-in panel displayed on report2023[.]zip

microsoft-office[.]zip initially said ‘This is not a microsoft page’ when we first saw it on May 13th (around 8.50 am GMT). This text had been removed when we re-scanned the page an hour later.

Sign-in panels displayed on microsoft-office[.]zip

Sign-in panels displayed on microsoft-office[.]zip

All these attacks used different hosting providers and were registered with different registrars, suggesting there were different threat actors behind them. We notified Google Registry as part of our takedown process for some of these domains; these domains now no longer resolve.

Other suspicious .zip activity

There are many domains registered which are likely to be bad faith registrations, although these are not currently displaying malicious content. These include:

  • domains containing known brand names, such as several dozen domains that contain the word ‘Microsoft’, including microsoft[.]zip, microsoft-windows-update[.]zip, microsoftteams[.]zip, microsoftedgesetup[.]zip, microsoftinstaller[.]zip.
  • 200 domains that mention ‘installer’ or ‘update’, including chromeupdatex64[.]zip, browser-update[.]zip, firefoxinstaller[.]zip, driver-update[.]zip, updatediscord[.]zip, urgent-update[.]zip, zoom-installer[.]zip, winrar-installer[.]zip.
  • various domains that mention banks by name, such as bankofamericasecurities[.]zip.
  • several that could plausibly be used in emails where a victim expects to download a file, but is linked to the domain instead (pay-statements[.]zip, paystub[.]zip, photos[.]zip, attachment[.]zip).
  • eicar[.]zip has been registered but currently has no A records. The EICAR test file is a benign file typically used to test anti-virus software.
  • fewer than 50 domains on .zip contained or redirected to a .zip file. Of these, at least two were zip bombs, which are often deployed to disable antivirus software.

Auistic .zip registrations

We’ve also detected a number of domains that have been registered to raise awareness about how the .zip TLD could be used for fraud. One such example is bank-statement[.]zip, which displays the following.

Security notice displayed on bank-statement[.]zip

Security notice displayed on bank-statement[.]zip

Other examples, such as financialstatement[.]zip, are more forthright when expressing their concerns:

Security concerns displayed on financialstatement[.]zip

Security concerns displayed on financialstatement[.]zip

There are also a handful of other domains not currently displaying explicit ‘awareness’ content, but are probably motivated by the same concerns. These include domains such as notransomware[.]zip, notphishing[.]zip, and absolutely-not-a-virus[.]zip.

Other things spotted using the .zip TLD

While we anticipate that .zip may rank highly on our list of top 50 TLDs with the highest cybercrime incidents to active sites ratio, it is not just fraud that we found using the TLD during our investigations. We also spotted:

  • 71 domains redirected to YouTube videos, of which 48 are a Rickroll.
  • a domain that redirects to a zip file containing the TSA “No Fly” list leaked earlier this year.
  • a link shortener.
  • various sites being used to offer services associated with file compression, such as a site for zipping files and another for producing compressed YouTube thumbnails.

Finally, there are approximately 600 domains registered using .mov, which is another new TLD that is also a well-recognized file extension. We have run an analysis on these, and at the time of writing have not identified any fraud.

How can Netcraft help?

Our position at the epicentre of the battle against cybercrime allows us to
rapidly identify, monitor and react to new threats, like those identified in
this post. We continue to monitor for malicious content on .zip and other new
TLDs. The Netcraft browser extension and mobile apps
block the .zip threats described in this post, and will block new threats as we
discover them.

Netcraft is the world leader in cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We help organizations worldwide (including 12 of the top 50 global banks) and perform takedowns for around one third of the world’s phishing attacks, taking down 90+ attack types at a rate of 1 attack every 15 seconds. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activities.

We offer solutions for domain registries and domain registrars,
including real-time alerts or takedowns for fraudulent content found on your
TLD/infrastructure and a tool
for analysing the likelihood that a new domain name is deceptive and will be
used for fraud.