Re-visiting .zip domains

April 7, 2024

I wanted to go back to last year and re-visit the excellent blog from Bobbyr at https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5 where he skillfully explored the dangers of Google's new TLD (top level domain) of .zip and see what if anything has come of it since then.

To quickly recap, in May of 2023 Google decided that adding a .zip TLD would be a good idea. It was quite the buzz amongst security researchers for a couple of weeks trying to decide how dangerous or perhaps overblown this new TLD may be. The Bobbyr post explored the inherent dangers in doing just that. The introduction was a quick eye test to see which one of the URLs below is legitimate and which one drops evilness.

To the untrained eye (and even those in this industry) it's not all that obvious which one has some shenanigans going on. Would your parents or grandparents have any clue? Of course not. It's the first one that is evil. The 2 key elements pointed out in the first URL is the use of user info before the '@' and the Unicode version of the '/' (which is sloped more forward than a normal forward slash). Anything before the '@' is ignored in this case and the user is sent directly to the v1271.zip domain. The use of Unicode '/' allows a more complete URL path to be specified (the use of a normal '/' before the '@' will cause the browser to go to github.com and use everything after as the path). This combination used in a phishing email can quite easily create the necessary smoke and mirrors needed to send the unwitting user towards evilness.

As for usage of the .zip domain itself, there was a nice write-up from Netcraft at https://www.netcraft.com/blog/zip-tld-six-months-on-and-still-rollin/ in November, taking a look at how things had progressed during the first 6 months since its inception. Below is a graphic from their post showing registration numbers:

Netcraft notes that they had blocked a total of 56 malicious .zip domains in these 6 months and that most impersonated big brands such as Google and Microsoft. They also continue to see a decent number of .zip sites being used altruistically in the hopes of spreading the word on the potential dangers of these domains. I'm considering diving deeper to see if any later statistics may be available, but my guess is that the trends haven't changed.

Now let's get to the main reason why I wanted to re-visit .zip domains again. Last May I registered my own domain, maliciousdownload.zip, with the thought of possibly using it for research and educational purposes only of course. I thought about what kind of use cases could be created from it and figured it could serve as a training domain for PoC phishes.

So, what's next with .zip TLDs? Are companies taking the early advice of many security researchers and just blocking them all together or are they just handling them like any other domain and blocking as needed?