DNS, DHCP & IP Address Management appliances
For Microsoft DNS & DHCP servers
For open source DNS & DHCP servers
Cloud-based visualization of analytics across DDI architecture
Manage multi-vendor cloud DNS servers centrally
RIR Declaration Management and Automation
Automated network device configuration and management
Centralized visibility over all your clouds
A single source of truth for your network automation
Why DDI is an Obvious Starting Point
DNS Threat Intelligence for proactive defense
Intelligence Insights for Threat Detection and Investigation
Adaptive DNS security for service continuity and data protection
Improve Application Access Control to prevent spread of attacks
Protect users and block DNS-based malware activity
Carrier-grade DNS DDoS attack protection
Optimize application delivery performance from the edge
for Proactive Network Security
Visibility, analytics and micro segmentation for effective Zero Trust strategy
Enable work from anywhere by controlling access, security and data privacy
Simplify management and control costs across AWS, Azure and GCP environments
Risk-free migration to reduce DDI complexity and cost
Move risk-free to improve performance, security and costs
Automate management, unify control and strengthen security of connected devices
Protect your network against all DNS attacks, data exfiltration and ransomware
Enable zero touch operations for network management and security
Improve resiliency, deployment velocity and user experience for SD-WAN projects
Integrated DNS, DHCP, IPAM services to simplify, automate and secure your network.
Simplify design, deployment and management of critical DDI services for telcos
Optimize administration and security of critical DDI services for healthcare
Simplify and automate management of critical DDI services for finance
Simplify and automate management of critical DDI services for higher education
Simplify and automate management of critical DDI services for retail
Simplify Management and Automation for Network Operations Teams
Elevate SecOps Efficiency by Simplifying Threat Response
Open architecture for DDI integration
Technology partnerships for network security & management ecosystems
Extend security perimeters and strengthen network defenses
Submit requests for temporary licenses
Submit access requests for EfficientIP knowledge platforms
Submit membership requests for EfficientIP Community
Strengthen Your Network Protection with Smart DNS Security
Customer-centric DDI project delivery and training
Acquire the skills needed to manage EfficientIP SOLIDserverโข
Identify vulnerabilities with an assessment of your DNS traffic
Test your protection against data breaches via DNS
Dedicated representation for your organization inside EfficientIP
Explore content which helps manage and automate your network and cloud operations
Read content which strengthens protection of your network, apps, users and data
Learn how to enhance your app delivery performance to improve resilience and UX
Why Using DNS Allow Lists is a No-Brainer
This enterprise-grade cloud platform allows you to improve visibility, enhance operational efficiency, and optimize network performance effortlessly.
Who we are and what we do
Meet the team of leaders guiding our global growth
Technology partnerships for network security and management ecosystems
Discover the benefits of the SmartPartner global channel program
Become a part of the innovation
The latest updates, release information, and global events
May 27, 2024 | Written by: Yaรซlle Harel | DNS Security
DNS AttackDNS Data ExfiltrationDNS FilteringDNS ProtectionDNS SecurityDNS SolutionDNS Threat IntelligencePhishingThreat Intelligence
One year after Google .zip TLD (Top Level Domains)’s launch, we take a retrospective look at the TLD impact on DNS security. The introduction of domain extensions mimicking common file extensions was met with both excitement and concern. While it opened new avenues for legitimate use, it also posed significant security challenges, particularly in the realms of phishing campaigns and malware distribution. This research was conducted by our DNS Threat Intelligence experts: Raphael Houver and Alexandre Gault.
EfficientIP has been closely monitoring the Google domains since its inception. Our research involved analyzing approximately 17,000 Google .zip TLDs over the past year. We tracked Google domain registrations, their active and inactive states, and the nature of user interactions with these domains, categorizing them as safe, suspicious, or malicious. A deeper analysis was conducted on domains containing installers in their HTML, a strong indicator of malicious activity.
Our methodology included:
The introduction of Googleโs .zip Top Level Domains (TLDs) has significantly increased the security risks associated with DNS servers due to the domain extension’s resemblance to the common .zip file extension. This resemblance causes confusion for both users and automated systems, leading to several critical vulnerabilities.
The automatic interpretation of .zip strings as URLs in messaging applications and web browsers presents a substantial risk of users inadvertently accessing malicious files.. For example, text like “update.zip” can be turned into a clickable link. This is particularly problematic in chat applications, where it can trigger DNS or web queries to display a thumbnail of the linked page. In the example below we can see that what appears to be a legitimate link to a file on GitHub might actually direct users to a deceptive domain such as “v15.zip,” exploiting fake characters like confusable fraction slash instead of slash to create a misleading appearance. Such scenarios are prime opportunities for domain spoofing, phishing, and social engineering attacks, where users are tricked into clicking on malicious links, sharing personal information such as credit card data or login credentials, and opening the door for threat actors.
Another significant issue is the inadvertent triggering of DNS queries by merely mentioning filenames ending in “.zip” during discussions. This can expose internal information to those controlling the domain’s DNS server. For instance, a filename like “software[.]exe[.]zip” can generate DNS queries to malicious domains, revealing sensitive information.
Similarly, searching for non-existent .zip files in Windows Explorer, such as in the โprospects[.]xlsx[.]zipโ example below, can lead to unintended online searches, potentially accessing harmful domains.
The .zip TLD security impact also involves a serious threat of malware distribution. Cybercriminals can exploit the .zip extension to host websites that serve malware disguised as legitimate software. Users might trust a .zip domain for downloading software, thereby increasing the risk of malware infection. Additionally, homograph attacks, where visually similar domain names deceive users into thinking they are accessing a legitimate domain, further exacerbate this risk. Our 17,000 .zip domains analysis uncovered over 600 instances of Windows Trojans, highlighting the high levels of this threat.
Our study revealed several key insights and findings:
There was an initial surge in .zip domain registrations following the new TLD’s launch, as users rushed to register domains out of curiosity. The early registrations included users who registered a domain for legitimate purposes and attackers who registered domains to deceive users by exploiting the familiarity of the .zip file extension.
As awareness of the potential risks increased, both users and organizations became more vigilant in their approach to .zip domains.
The proportion of active .zip domains has slightly decreased since July 2023, as seen in the chart below. Many domains that were initially registered became inactive or were taken down due to malicious activity or other reasons. However, a significant number of these domains remain active and continue to pose security risks, with many containing executable files that could be malicious.
The proportion of suspicious websites increased from 11.9% to 14.6% over the year (percentage of suspicious domains from both active and inactive domains).
The analysis of malicious .zip domains in March 2024 reveals that a significant portion remains active, with 60% (1,323) of all malicious domains still operational and posing a threat to users. Notably, 41 of these malicious domains contain installer files, which is a strong indication of active malware distribution.
The analysis of suspicious .zip domains yielded similar results, with 59% (1,474) identified as active and 44 of these containing installer files, indicating a considerable threat
When considering both malicious and suspicious .zip domains, it is evident that cybercriminals are exploiting the .zip TLD for harmful activities. This trend highlights the growing cybersecurity impact of the .zip TLD and underscores the critical need for enhanced detection mechanisms, rapid response strategies, and user education to safeguard against these threats.
Although most of the HTML content was text, many domains hosted applications, including PowerShell applications. This is concerning because PowerShell can be exploited by attackers to execute malicious commands and access system resources, increasing the risk of security breaches.
Not surprisingly, many analyzed Google .zip TLD domains mimicked common applications like Microsoft Word and Adobe Acrobat Reader. Attackers take advantage of the fact that users often search for files associated with known brands to trick them to access malicious content through .zip phishing.
Our research revealed many domains that resemble legitimate brand file names. We assume that real users were trying to access their files and unintentionally reached these domains. Examples include “2024[.]xlsx[.]zip”, “courrierdevotrecaisse[.]pdf[.]zip”, “moteurs[.]docx[.]zip”, and “msoffice365update[.]zip”. Those appear as regular document files but are actually compressed files designed to trick users into downloading malwares.
A deeper examination reveals that Microsoft-related domains dominate, accounting for 47.22% of the total malicious .zip domains. This is followed by Google at 8.33%, with other brands like Apple, Adobe, Zoom, and Firefox each having smaller yet significant shares. The prevalence of these brands underscores a strategic effort by cybercriminals to exploit user trust and the urgency to update software.
Further analysis of the malicious domain names reveals a strategic use of specific keywords to deceive users and distribute malware. “Update” appears in 56 domains, exploiting the urgency to keep software current. “Installer” is found in 38 domains, often disguised as legitimate software installers. Security-related keywords are in 8 domains, leveraging fears of vulnerabilities. Additionally, “setup” appears in 10 domains, commonly used in initial configurations. These insights underscore the dangerous nature of .zip domains, emphasizing the tactics used by cybercriminals in tricking users, and the critical need for vigilance and robust cybersecurity measures.
The Google .zip TLD underscores cybersecurity challenges related to domain name confusion, a problem Google emphasizes is not new. They stress the need for continuous monitoring and proactive measures to address these risks. Looking ahead, Google advocates for adaptive security strategies and comprehensive user education to enhance online safety. Despite these efforts, the .zip TLD remains a tool that can be exploited by attackers, necessitating continuous vigilance and proactive DNS security measures.EfficientIP’s Protective DNS Security Solution plays a crucial role in mitigating these risks. By leveraging advanced AI-driven threat detection and DNS-centric threat intelligence, EfficientIP offers robust protection, real-time threat detection, and automated response and recovery capabilities.
EfficientIP’s advanced capabilities include patented DNS traffic inspection and behavioral analysis, which allow for precise identification of suspicious activities and potential sophisticated threats such as phishing, malware, spyware, data exfiltration through zero-day malicious domains, DNS tunneling, command and control, and more.
Micro-segmentation with fine-grained, centrally managed DNS traffic filtering policies and advanced Client Query Filtering (CQF) enabling dynamic domain filtering based on the userโs group and permissions, enhances zero-trust security by ensuring only authorized users can access specific resources.
Adaptive countermeasures and rescue mode provide swift, automated responses to mitigate the impact of attacks and maintain service continuity. Advanced AI-powered algorithms, such as Tuple Clustering, natural language processing (NLP), and image recognition , enable proactive identification of sophisticated DGA and phishing threats. Together, these features help reduce the risk of attackers misleading users and exploiting domain names like .zip, ensuring a higher level of network security.
This comprehensive approach is essential for maintaining network security in the face of evolving threats.
One year after the launch of the Google .zip TLD, it is clear that while it has potential for legitimate uses, it also introduces significant security risks. Continuous vigilance and protective actions by both domain registrants and users are essential to mitigate these risks. Enhanced cooperation among registry operators, cybersecurity experts, and users is crucial for developing robust measures against DNS-based threats.
Stay informed about developments in TLD cybersecurity and DNS security. EfficientIPโs DNS Security solution offers a robust defense against emerging threats. For a practical demonstration of DNS Security, click here.
See our Protective DNS Security in action and learn how to mitigate your TLD risks.
Explore content highlighting the value EfficientIP solutions bring to your network
We use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site.