Share this article on:
At the beginning of May, Google introduced a raft of new top-level domains for purchase from the public — .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus.
Most of them seem to have obvious intentions. .dad, for instance, is for celebrating fatherhood, in Google’s own words, while .phd and .prof are for use by those in higher education.
However, the .zip and .mov domains — intended for more technical users — have some security researchers worried they could be misused by threat actors in phishing and other malicious cyber campaigns.
The concern is that as these are also common file types — for ZIP archives and MP4 video files — that are often shared online, along with instructions on how to use them, the fact that they will often now be converted into links automatically. This could, in theory, lead to threat actors creating domains that match a filename, which could, in turn, be used for phishing or spreading malware.
According to Bleeping Computer, two possible phishing pages have already been found at microsoft-office[.]zip and microsoft-office365[.]zip.
“We’re closely monitoring all activity from suspicious registrations using the new TLDs,” said threat intelligence firm Silent Push Labs on Twitter. “Still, we see highly exploitable domains hosting awareness pages for .zip/.mov TLDs abuse.”
Other researchers have been even more open in their views on the new TLDs, but whether they are actually dangerous or not is very much still being debated.
“Regarding the .zip domains I complained about,” said popular Twitter security commentator SwiftOnSecurity. “I think it’s dumb and unnecessarily creates confusion and will leave to various minor phishing schemes/tricks/address-confusion attacks... but it’s just going to get forced into being another TLD.
“It just feels uniquely unneeded.”
But others feel the reactions are a little over the top.
“The level of fear-mongering about .ZIP and .MOV is just comical,” said developer Eric Lawrence in a tweet. “It’s a bit alarming to watch the cutting edge of the Technorati throwing their shoes into the machinery in terror.”
Lawrence went on to write a full blog post breaking down how the new TLDs may lead to even more secure browsing.
“One especially fun fact about requiring HTTPS for an entire TLD is that it means that every site within that TLD requires a HTTPS certificate,” Lawrence wrote. “To get a HTTPS certificate from a public CA requires that the certificate be published to Certificate Transparency, a public ledger of every certificate.
“Security software and brand monitors can watch the certificate transparency logs and get immediate notification when a suspicious domain name appears.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.