Google’s recent release of eight new top-level domains (TLDs) has raised concerns among security researchers. While some of the new TLDs introduced by Google, such as “.dad” and “.nexus,” were light-hearted additions, the inclusion of “.zip” and “.mov” has sparked worries about phishing and online scams. These two TLDs are particularly concerning because they are also common file extension names used for data compression and video formats.
The main worry is that URLs resembling file names could open up new avenues for digital scams, tricking users into clicking on malicious links disguised as legitimate files. Moreover, the problem could be exacerbated by programs mistakenly recognizing file names as URLs and automatically creating links to those files. This creates the possibility for scammers to strategically purchase “.zip” and “.mov” URLs that match common file names. For instance, a URL like “homemovie.mov” could automatically link to a malicious website when mentioned online.
Tim Boswell, a phishing researcher and principal threat adviser at cybersecurity firm Dlinked, points out that attackers will exploit any available means to infiltrate organizations. This issue is not new and has been a persistent problem for a long time.
Researchers have already observed malicious actors acquiring strategic “.zip” URLs and testing them in phishing campaigns. However, opinions are divided on the extent of the negative impact that the “.zip” and “.mov” domains will have, considering that scams targeting URL confusion are already prevalent. Furthermore, anti-phishing protections implemented by proxies and other traffic management tools can help mitigate the risks if users accidentally click on malicious links, and these defenses will be extended to include the new TLDs.
In response to concerns, Google reassured that the risk of confusion between domain names and file names is not new, citing examples like 3M’s use of the domain name “command.com,” which is also an important program on MS DOS and early versions of Windows. Google stated that applications have mitigations in place, such as Google Safe Browsing, and these protections will also apply to TLDs like “.zip.” The company further emphasized that it already has mechanisms to suspend or remove malicious domains across all its top-level domains and will monitor the usage of “.zip” and other TLDs to take appropriate action against emerging threats.
The introduction of more TLDs expands the pool of available URLs, providing users with more choices without the need to pay a premium to acquire a desired site name from existing owners or speculators who hoarded historic URLs. Some security experts argue that considering the already prevalent risk of phishing attacks, additions like “.zip” and “.mov” pose only a marginal additional danger.
However, there are researchers who strongly believe that a company like Google, with its substantial investments in anti-scam and anti-phishing measures, could have chosen not to offer these specific TLDs. Even if other TLDs that overlap with file extensions already exist, critics argue that introducing more of these overlaps is unnecessary.
A online security researcher, points out that the issue is not new and criticizes Google for causing the same problem again. He suggests that Google has created a usability and security problem for downstream providers to address, seemingly for the sake of a low-effort money-making endeavor.