On the 3rd May, Google made one of its most controversial moves yet by opting to put .zip domains on sale. Eight new top-level domains were actually announced but it was .zip and .mov that have raised the most concern because of the cybersecurity risks they pose.
So why are people worried, and more importantly, what can you do to protect yourself? We go over all of this below.
Why are .zip domains a security risk?
Top-level domains (TLDs) are the letters that came after the dot at the end of the domain, so .zip is a top level domain. File extensions are the three letters that came after the dot at the end of the file name.
Let’s look at some examples…
TLDS:
examplenamehere.zip
File extensions:
examplenamehere.zip
Right there lies the key problem – domain names and filenames are not even remotely the same thing, but they both play a crucial role in modern cyberattacks. Making sure they’re correctly identified has been a key part of basic cybersecurity for quite a while.
Following Google’s announcement, many are concerned that the TLDs could be used to trick users into visiting sites that contain malware, viruses, and other malicious content. Sites, messaging platforms and other applications are now automatically converting .zip file names into URLs which could lead to users clicking on them and falling victim to scams and malware.
For example, those with malevolent intent could send phishing emails with an attachment that says, “Pictures are attached”. As zip files are often associated with pictures rather than URLs, the recipient could automatically click the link thinking they’ll be downloading images rather than being sent to a potentially dangerous website. This could especially be a problem within companies where sending images happens frequently, for example, property agents.
The automatic hyperlinking of .zip could cause problems beyond phishing emails too. Think about the amount of .zip links out there which the authors didn’t intend to have link anywhere. For example, there are numerous tutorials online that explain how to unzip zipped folders, if they’re used .zip this will be automatically hyperlinked and send users on that webpage to a different domain that could potentially have been bought for malicious use. This applies to social media too, as .zip will now be hyperlinked and sending users to places the original poster did not intend.
There have already been .zip domains reported as hosting dangerous malware or phishing scams, so this potential security risk isn’t going unnoticed by hackers.
How to avoid protect yourself against malicious .zip TLD’s
As .zip TLDs have only recently become available, now is the time for businesses and security teams to get organised and decide how to handle these new potential threats. Getting an early head start on it will help to avoid issues further down the line, so don’t ignore this problem until it’s on your digital doorstep.
The easiest way to prevent issues is to block all suspicious domains from resolving. This is achievable within a few days as security teams could create a Windows Firewall policy to block .zip and other TLDs the company doesn’t use.
Another solution is to use the Name Resolution Policy Table rules in Windows Server 2012. Additionally, specific TLDs can be blocked in Outlook, just go to the blocked senders settings and adjust it from there.
Blocking .zip has been largely recommended by many in the infosec community, at least for now. Johannes Ullrich, dean of research at SANS Internet Storm Centre has said:
"Given the low 'real world' usage of .zip domains, it may be best to block access to them until it is clear if it will be useful."
Right now, many are employing the better safe than sorry method, so blocking .zip completely is currently the most advisable path. If you are within a sector where you feel you may be at higher risk of falling victim to .zip scams, it’s a good idea to hold some training with your staff so they are aware of the situation and can be hyper-alert to the risks.
Ready to make every element of your business cyber safer? Get in touch to find out how we can help.
Comments