Phishing attacks already using the .zip TLD

On May 3rd, Google Registry launched 8 caller top-level domains (TLDs) “for dads, grads and techies”, including a .zip TLD. While these caller TLDs travel pinch benefits specified arsenic automatic inclusion connected nan HSTS preload list, nan motorboat of caller TLDs has ever presented cyber criminals pinch nan opportunity to register domains successful bad faith.

Parts of nan information community, such arsenic nan SANS ISC, person already identified nan imaginable for fraud via nan imaginable conflation of a universally known record hold (.zip) pinch a TLD. TLDs overlapping pinch record extensions is not a caller problem: .com is besides an executable format, .pl represents some Poland and Perl scripts, and .sh represents Saint Helena and Unix ammunition scripts.

Earlier this week, we investigated existing registrations utilizing nan .zip TLD and confirmed that location is already grounds of fraudulent activity.

.zip domains arsenic phishing lures

At nan clip of writing, location are less than 5,000 registered domains utilizing .zip. 2,253 of these person an A record, pointing to 838 chopped IP addresses. We person discovered phishing attacks connected 5 of these domains truthful far, nary of which are still unrecorded astatine nan clip of writing.

Domain Targeted brand

report2023[.]zip	Microsoft
microsoft-office[.]zip	Microsoft
microsoft-office365[.]zip	Microsoft
e-mails[.]zip	Google
login.payment-statement[.]zip	Okta

report2023[.]zip was astir apt a threat actor’s ‘proof of concept’. The site, which mimics a Microsoft login screen, states ‘THIS IS FOR TESTING’.

Sign-in sheet displayed connected report2023[.]zip

microsoft-office[.]zip initially said ‘This is not a microsoft page’ erstwhile we first saw it connected May 13th (around 8.50 americium GMT). This matter had been removed erstwhile we re-scanned nan page an hr later.

Sign-in panels displayed connected microsoft-office[.]zip

All these attacks utilized different hosting providers and were registered pinch different registrars, suggesting location were different threat actors down them. We notified Google Registry as portion of our takedown process for immoderate of these domains; these domains now nary longer resolve.

Other suspicious .zip activity

There are galore domains registered which are apt to beryllium bad religion registrations, though these are not presently displaying malicious content. These include:

• domains containing known marque names, specified arsenic respective twelve domains that incorporate nan connection ‘Microsoft’, including microsoft[.]zip, microsoft-windows-update[.]zip, microsoftteams[.]zip, microsoftedgesetup[.]zip, microsoftinstaller[.]zip.
• 200 domains that mention ‘installer’ aliases ‘update’, including chromeupdatex64[.]zip, browser-update[.]zip, firefoxinstaller[.]zip, driver-update[.]zip, updatediscord[.]zip, urgent-update[.]zip, zoom-installer[.]zip, winrar-installer[.]zip.
• various domains that mention banks by name, specified arsenic bankofamericasecurities[.]zip.
• several that could plausibly beryllium utilized successful emails wherever a unfortunate expects to download a file, but is linked to nan domain alternatively (pay-statements[.]zip, paystub[.]zip, photos[.]zip, attachment[.]zip).
• eicar[.]zip has been registered but presently has nary A records. The EICAR trial file is simply a benign record typically utilized to trial anti-virus software.
• fewer than 50 domains connected .zip contained aliases redirected to a .zip file. Of these, astatine slightest 2 were zip bombs, which are often deployed to disable antivirus software.

Altruistic .zip registrations

We’ve besides detected a number of domains that person been registered to raise consciousness astir really nan .zip TLD could beryllium utilized for fraud. One specified illustration is bank-statement[.]zip, which displays nan following.

Security announcement displayed connected bank-statement[.]zip

Other examples, specified arsenic financialstatement[.]zip, are much forthright erstwhile expressing their concerns:

Security concerns displayed connected financialstatement[.]zip

There are besides a fistful of different domains not presently displaying definitive ‘awareness’ content, but are astir apt motivated by nan aforesaid concerns. These see domains specified arsenic notransomware[.]zip, notphishing[.]zip, and absolutely-not-a-virus[.]zip.

Other things spotted utilizing nan .zip TLD

While we expect that .zip whitethorn rank highly connected our database of apical 50 TLDs pinch nan highest cybercrime incidents to progressive sites ratio, it is not conscionable fraud that we recovered utilizing nan TLD during our investigations. We besides spotted:

• 71 domains redirected to YouTube videos, of which 48 are a Rickroll.
• a domain that redirects to a zip record containing nan TSA “No Fly” database leaked earlier this year.
• a nexus shortener.
• various sites being utilized to connection services associated pinch record compression, specified arsenic a tract for zipping files and different for producing compressed YouTube thumbnails.

Finally, location are astir 600 domains registered utilizing .mov, which is different caller TLD that is besides a well-recognized record extension. We person tally an study connected these, and astatine nan clip of penning person not identified immoderate fraud.

How tin Netcraft help?

Our position astatine nan epicentre of nan conflict against cybercrime allows america to rapidly identify, show and respond to caller threats, for illustration those identified in this post. We proceed to show for malicious contented connected .zip and different new TLDs. The Netcraft browser hold and mobile apps block nan .zip threats described successful this post, and will artifact caller threats arsenic we discover them.

Netcraft is nan world leader successful cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We thief organizations worldwide (including 12 of nan apical 50 world banks) and execute takedowns for astir 1 3rd of nan world’s phishing attacks, taking down 90+ onslaught types astatine a complaint of 1 onslaught each 15 seconds. Our malicious tract feeds protect billions of group astir nan world from phishing, malware, and different cybercrime activities.

We connection solutions for domain registries and domain registrars, including real-time alerts aliases takedowns for fraudulent contented recovered connected your TLD/infrastructure and a tool for analysing nan likelihood that a caller domain sanction is deceptive and will be used for fraud.