Unzipping the truth: The hidden dangers of .zip domains

Luis Corrons 1 Aug 2023

That .zip file looks legit, but it's actually a sneaky new way for cyber criminals to steal your info.

We all love the convenience of the internet, right? But sometimes, it can be a bit like the Wild West, with new threats popping up where we least expect them. With that in mind, we want to talk about a new trick that cybercriminals are using to fool us: the ".zip" domains. 

You might be wondering, "What's a .zip domain?" Well, you know how websites usually end in .com, .org, or .net? Those are called top-level domains (TLDs). Recently, Google introduced a bunch of new ones, like .zip, .mov, and .phd. Sounds cool, right? But here's the catch: cybercriminals are already finding ways to misuse these new TLDs. 

Here's how they do it: they create websites with .zip domains that mimic the names of big tech companies like Microsoft, Google, Amazon, and PayPal. So, when you see a link that ends with something like "microsoft.zip," you might think you're downloading a file from Microsoft. But, in reality, you're being directed to a potentially harmful website. This trick is especially sneaky because it takes advantage of our trust in these big-name companies. And the worst part? Once you're on their site, these cybercriminals can run a phishing scheme, infect your device, etc., leading to identity theft and even potentially causing financial loss. 

Now, you might be thinking, "But I can tell the difference between a file and a website!" And usually, you'd be right. But these .zip domains are blurring the lines and making it harder to tell what's what. To illustrate that Matěj Krčma, the Malware Analyst at Avast who is leading this research has created the following example for us:  

Here we can see what a typical scam created by cybercriminals could look like, an email with an attachment called "attachment.zip." The email body says that the file was a crucial software update and includes a hyperlink that looks like it would open the attachment. But instead, it directs users to a remote URL. Sneaky, right? 

So, what can we do to protect ourselves? First, treat any .zip TLDs with caution. If you see a .zip at the end of a link, think twice before clicking. Second, keep your antivirus software updated to protect against the latest threats. And finally, stay informed about new threats. Knowledge is power, after all!  

We hope this post has helped shed some light on this new kind of internet trickery. Remember, the internet is a wonderful place, but it's important to stay vigilant and protect ourselves. If you're interested in more technical details or advice for IT personnel to protect against this particular threat, check out our full technical article by Matěj Krčma in our Decoded blog. 

Stay safe out there, friends! 

--> -->