A Year in Review: Google .zip TLD DNS Security Challenges

One year after Google .zip TLD (Top Level Domains)’s launch, we take a retrospective look at the TLD impact on DNS security. The introduction of domain extensions mimicking common file extensions was met with both excitement and concern. While it opened new avenues for legitimate use, it also posed significant security challenges, particularly in the realms of phishing campaigns and malware distribution. This research was conducted by our DNS Threat Intelligence experts: Raphael Houver and Alexandre Gault.

Research Overview

EfficientIP has been closely monitoring the Google domains since its inception. Our research involved analyzing approximately 17,000 Google .zip TLDs over the past year. We tracked Google domain registrations, their active and inactive states, and the nature of user interactions with these domains, categorizing them as safe, suspicious, or malicious. A deeper analysis was conducted on domains containing installers in their HTML, a strong indicator of malicious activity.

Our methodology included:

• Monitoring domain registrations: we tracked the registrations of .zip TLD domains over the year to find trends in usage.
• Tracking domain activity: we monitored which domains were active, which had gone down, and which exhibited suspicious or malicious behavior.
• User interaction analysis: we analyzed actual user attempts to access .zip domains and categorized these domains based on their safety.
• HTML content analysis: we performed a deep dive into the content of these domains, especially those that contained installer files, to identify potential threats.
• In-Depth Analysis of Google .zip TLD Domains Names: we analyzed the domain names to identify common malicious patterns, such as the deceptive use of familiar brands.

DNS Security Challenges introduced by Google .zip TLD

The introduction of Google’s .zip Top Level Domains (TLDs) has significantly increased the security risks associated with DNS servers due to the domain extension’s resemblance to the common .zip file extension. This resemblance causes confusion for both users and automated systems, leading to several critical vulnerabilities.

Phishing Attacks, Domain Spoofing, and Social Engineering

The automatic interpretation of .zip strings as URLs in messaging applications and web browsers presents a substantial risk of users inadvertently accessing malicious files.. For example, text like “update.zip” can be turned into a clickable link. This is particularly problematic in chat applications, where it can trigger DNS or web queries to display a thumbnail of the linked page. In the example below we can see that what appears to be a legitimate link to a file on GitHub might actually direct users to a deceptive domain such as “v15.zip,” exploiting fake characters like confusable fraction slash instead of slash to create a misleading appearance. Such scenarios are prime opportunities for domain spoofing, phishing, and social engineering attacks, where users are tricked into clicking on malicious links, sharing personal information such as credit card data or login credentials, and opening the door for threat actors.

Unintended DNS Queries

Another significant issue is the inadvertent triggering of DNS queries by merely mentioning filenames ending in “.zip” during discussions. This can expose internal information to those controlling the domain’s DNS server. For instance, a filename like “software[.]exe[.]zip” can generate DNS queries to malicious domains, revealing sensitive information.

Similarly, searching for non-existent .zip files in Windows Explorer, such as in the “prospects[.]xlsx[.]zip” example below, can lead to unintended online searches, potentially accessing harmful domains.

Malware Distribution

The .zip TLD security impact also involves a serious threat of malware distribution. Cybercriminals can exploit the .zip extension to host websites that serve malware disguised as legitimate software. Users might trust a .zip domain for downloading software, thereby increasing the risk of malware infection. Additionally, homograph attacks, where visually similar domain names deceive users into thinking they are accessing a legitimate domain, further exacerbate this risk. Our 17,000 .zip domains analysis uncovered over 600 instances of Windows Trojans, highlighting the high levels of this threat.

Analysis of Domains Activity Over One Year: Research Results

Our study revealed several key insights and findings:

1. Domains Registration Trends

There was an initial surge in .zip domain registrations following the new TLD’s launch, as users rushed to register domains out of curiosity. The early registrations included users who registered a domain for legitimate purposes and attackers who registered domains to deceive users by exploiting the familiarity of the .zip file extension.

As awareness of the potential risks increased, both users and organizations became more vigilant in their approach to .zip domains.

2. Active vs. Inactive Domains

The proportion of active .zip domains has slightly decreased since July 2023, as seen in the chart below. Many domains that were initially registered became inactive or were taken down due to malicious activity or other reasons. However, a significant number of these domains remain active and continue to pose security risks, with many containing executable files that could be malicious.

3. Suspicious and Malicious Content

The proportion of suspicious websites increased from 11.9% to 14.6% over the year (percentage of suspicious domains from both active and inactive domains).

The analysis of malicious .zip domains in March 2024 reveals that a significant portion remains active, with 60% (1,323) of all malicious domains still operational and posing a threat to users. Notably, 41 of these malicious domains contain installer files, which is a strong indication of active malware distribution.

The analysis of suspicious .zip domains yielded similar results, with 59% (1,474) identified as active and 44 of these containing installer files, indicating a considerable threat

When considering both malicious and suspicious .zip domains, it is evident that cybercriminals are exploiting the .zip TLD for harmful activities. This trend highlights the growing cybersecurity impact of the .zip TLD and underscores the critical need for enhanced detection mechanisms, rapid response strategies, and user education to safeguard against these threats.

4. HTML content

Although most of the HTML content was text, many domains hosted applications, including PowerShell applications. This is concerning because PowerShell can be exploited by attackers to execute malicious commands and access system resources, increasing the risk of security breaches.

5. In-Depth Analysis of Google .zip TLD Domains Names

Not surprisingly, many analyzed Google .zip TLD domains mimicked common applications like Microsoft Word and Adobe Acrobat Reader. Attackers take advantage of the fact that users often search for files associated with known brands to trick them to access malicious content through .zip phishing.

Our research revealed many domains that resemble legitimate brand file names. We assume that real users were trying to access their files and unintentionally reached these domains. Examples include “2024[.]xlsx[.]zip”, “courrierdevotrecaisse[.]pdf[.]zip”, “moteurs[.]docx[.]zip”, and “msoffice365update[.]zip”. Those appear as regular document files but are actually compressed files designed to trick users into downloading malwares.

A deeper examination reveals that Microsoft-related domains dominate, accounting for 47.22% of the total malicious .zip domains. This is followed by Google at 8.33%, with other brands like Apple, Adobe, Zoom, and Firefox each having smaller yet significant shares. The prevalence of these brands underscores a strategic effort by cybercriminals to exploit user trust and the urgency to update software.

Further analysis of the malicious domain names reveals a strategic use of specific keywords to deceive users and distribute malware. “Update” appears in 56 domains, exploiting the urgency to keep software current. “Installer” is found in 38 domains, often disguised as legitimate software installers. Security-related keywords are in 8 domains, leveraging fears of vulnerabilities. Additionally, “setup” appears in 10 domains, commonly used in initial configurations. These insights underscore the dangerous nature of .zip domains, emphasizing the tactics used by cybercriminals in tricking users, and the critical need for vigilance and robust cybersecurity measures.

Lessons Learned and Future Outlook

The Google .zip TLD underscores cybersecurity challenges related to domain name confusion, a problem Google emphasizes is not new. They stress the need for continuous monitoring and proactive measures to address these risks. Looking ahead, Google advocates for adaptive security strategies and comprehensive user education to enhance online safety. Despite these efforts, the .zip TLD remains a tool that can be exploited by attackers, necessitating continuous vigilance and proactive DNS security measures.

EfficientIP’s Protective DNS Security Solution plays a crucial role in mitigating these risks. By leveraging advanced AI-driven threat detection and DNS-centric threat intelligence, EfficientIP offers robust protection, real-time threat detection, and automated response and recovery capabilities. 

EfficientIP’s advanced capabilities include patented DNS traffic inspection and behavioral analysis, which allow for precise identification of suspicious activities and potential sophisticated threats such as phishing, malware, spyware, data exfiltration through zero-day malicious domains, DNS tunneling, command and control, and more.

Micro-segmentation with fine-grained, centrally managed DNS traffic filtering policies and advanced Client Query Filtering (CQF) enabling dynamic domain filtering based on the user’s group and permissions, enhances zero-trust security by ensuring only authorized users can access specific resources.

Adaptive countermeasures and rescue mode provide swift, automated responses to mitigate the impact of attacks and maintain service continuity. Advanced AI-powered algorithms, such as Tuple Clustering, natural language processing (NLP), and image recognition , enable proactive identification of sophisticated DGA and phishing threats. Together, these features help reduce the risk of attackers misleading users and exploiting domain names like .zip, ensuring a higher level of network security.

This comprehensive approach is essential for maintaining network security in the face of evolving threats.

Conclusion

One year after the launch of the Google .zip TLD, it is clear that while it has potential for legitimate uses, it also introduces significant security risks. Continuous vigilance and protective actions by both domain registrants and users are essential to mitigate these risks. Enhanced cooperation among registry operators, cybersecurity experts, and users is crucial for developing robust measures against DNS-based threats.

Stay informed about developments in TLD cybersecurity and DNS security. EfficientIP’s DNS Security solution offers a robust defense against emerging threats. For a practical demonstration of DNS Security, click here.