EDITOR’S NOTE: This story contains characters that screen readers might not properly read in the context of this story.
Google is now offering the registration of a brand-new Top-Level Domain extension (TLD) of .zip. This means you can now register domains such as “site.zip” or something similar. However, many have pointed out that “.zip” is a very common file extension that could be used to create malicious files, and now links. The Featured Image above shows two “.zip” domains that look very similar to each other, but many might not recognize which is a legitimate URL. They’ll more than likely go to a URL that will direct them somewhere else and download a virus. In addition, someone might share a link titled “attachment.zip” and someone will open it without thinking it’s a URL rather than an actual attachment. Another possibility is a scammer could upload a phishing site that encourages a user to download a free program, but you type in your password for a particular website. Examples of this can be seen on Facebook where a friend might tag you in a post that has a link that directs you to a “viral video.” Once you click on the link, a fake prompt will appear asking for your password to watch the video. If you’ve provided your credentials, your password has been stolen, and your account re-posts the same link tagging your friends to steal their passwords. But that is not the biggest concern at the moment. Rather, it’s another practice that was pointed out, how you can make legitimate-looking URLs to a supposed .zip file and make it appear as if it comes from any domain at all. This article will explain what’s happening, why this is bad, how to defend yourself, and possible DNS Service options.
Username Syntax.
Referring to the Featured Image again would be appropriate. Looking back at the photo, it is obvious that one of those websites does not belong to Microsoft. This comes from a feature most browsers support where you could put a username and password in a URL itself. Generally speaking, the text would read, “username:password@example.com” The end is the actual domain that would be visited by the browser. Anything with the “@,” including and before, is part of this Username Syntax. Meaning the browser would take you to the domain. However, this could be used maliciously with the .zip domain extension. You could create a link where HTTPS is the username before the colon. After the “//” anything can be entered. All you need to do is add an “@” before the final .zip domain. If someone didn’t know that @ sign means that the browser is going to discard anything before it, then they’re not going to realize that that final example.zip is the actual domain they’re visiting. In addition, the two slash characters are not actually standard characters. They’re Unicode characters that look similar to slashes. If you actually enter real slashes, the browser would consider it as part of a path, which would not work with the Username Syntax. If you put some of these Unicode slashes, then the browser would classify it as part of the password. The possibilities are endless in order to deceive people into thinking a .zip file is being hosted on literally any website at any path.
Is It Really That Bad?
There have been several arguments made that this probably won’t make that much of an impact, because there are plenty of other ways that bad actors can create malicious or impersonating domains. For example, several companies such as Google have alternative domains that they use for other purposes like withgoogle.com. Another example is Facebook, with facebookmail.com or metamail.com. These domains are still legitimate. However, it is sometimes difficult to determine regularly what a legitimate domain is and which ones are false. From my understanding, this argument states that is that it’s already easy enough to register a domain that looks reasonable enough that it wouldn’t raise suspicion among most people.
My Response – It’s Still Bad. Frankly, Worse.
There is a group of people who are not technologically experienced enough to realize the suspicion or legitimacy of a domain. Furthermore, they won’t check if that domain is affiliated with Facebook, Google, or the site in question. As a result, they’ll trust the site on the basis that it looks right. However, there is a set of people including myself who might see withgoogle.com or facebookmail.com. At times, I’ve received e-mails from these domains and have become suspicious. Wondering whether or not this is legitimate. I’ve checked using my clipboard to copy and paste content to make sure there are no lookalikes. My point is this .zip domain along with the Username Syntax allows someone to create a link that looks legitimate. It is not a lookalike domain. It’s not a slightly modified domain to make it look like it might be associated with the website. It simply allows you to make a URL that looks like it’s the exact primary domain of any company.
There are people who you could trick without those methods, but there is another group of people who would believe the legitimacy who you otherwise wouldn’t be able to trick. This is also especially risky because this might be able to make someone trust a link that they otherwise wouldn’t believe depending on the source of it. This can be seen through Discord posts, links someone shares on Facebook, possible e-mail scams, forum posts, and many more. An example of this now is a scammer who could claim that there is a new NVIDIA driver update that you have to download separately. It supposedly is a patch and can make your FPS render faster. It could be titled “https://nvidia.com/patches/@patch_MM_DD_YYYY.zip” The victim may see this link and believe that it is valid due to NVIDIA’s website. As well as the date because it matches the supposed date. Rather than getting the “patch” that was announced, they’ll get a virus. Or in the case of a company where a lot of computers are locked down and you aren’t able to execute any executables that aren’t whitelisted, then instead it might be a phishing page where it’s titled, “download link.” When someone attempts to click on it, they’ll be prompted to sign in in order to proceed with the download. Following the prompt, they’ll type in the company credentials. As you can see, there are several ways to obtain credentials.
Another argument that I’ve seen is that this isn’t necessarily a big deal because “It’s not going to change much because it’s already really easy to make really convincing lookalike domains using lookalike characters.” An example of this would be the domain, “example.com.” Someone could register a lookalike domain for this said site as “exampIe.com.” Simply by replacing the L with an I and anyone looking at it even really closely wouldn’t be able to tell that that’s a capital I. While that is true, I would argue that there’s only a limited combination of lookalike characters someone could use. What I’ve done to differentiate lookalike domains personally is to use a screen reader such as VoiceOver on iOS or TalkBack on Android devices. Regarding the domain example.com, I can’t really think of too many more besides that capital replacement. But if a malicious actor decides to use that domain in a malware campaign, they’re only going to be able to use it once before it is detected and blocked by antivirus software and browsers.
For certain websites, it is possible to make a domain that equally looks as legitimate as a fake .zip domain link, but these are limited. Whereas with this .zip domain and the technique using @, you could create unlimited lookalike domains for any website you want. For example, someone could register a fake link to “TPS-Report.zip.” While that domain will get blocked, but then the same domain could be registered with TPS. Looking like “https://example.com/@TPS-Reportv2.zip.” While this is an example, the domain can be registered to whatever someone would like. Such as Facebook, Google, Microsoft, LinkedIn, etc. Given that these are large corporations, I am sure that at some point, all the reasonably-looking Google, Facebook, and Microsoft lookalike domains have already been restricted or purchased by these companies. If someone were to make a lookalike domain, they would have had to make it more complicated as the previous lookalike domains are purchased or simply banned. As it happens, a more small and diminutive fraction of people would fall for this. But now there’s no need for convolution. Because people are able to register it as the actual primary domain.
How to Defend Yourself.
Something that you can do when you go to inspect a URL to determine if it’s safe, is to look for the @ character anywhere. It is also worth noting that the font size and color can be manipulated to the point where it is nonvisible. You can also hover over it so you can see the full URL or copy and paste it into a word processor such as Notepad. Something that I’d recommend is just completely blocking all .zip domains. If your PC runs Windows 10 or 11 Pro, this is easy. You can navigate to the Group Policy Editor and add a policy that redirects the .zip Namespace to 127.0.0.1 or whatever you’d like. Screenshots will be posted to my Facebook and Instagram accounts. Please keep in mind that you need administrator permissions for this method. But if you are running Windows Home Edition, you do not have access to the Group Policy Editor. Please note that downloading the Group Policy Editor on Home Edition does NOT work. Changes you make will not take effect.
Blocking With a DNS Service.
Alternatively, you can use a third-party DNS Service to block these sites. Examples of decent DNS Services are Cloudflare, Next DNS, OpenDNS, and AdGuard. Generally how this works is you would configure your DNS servers on your computer, router, or whatever you’d like. Each DNS address is unique per account. You could go in and modify any settings for what content you want to block. I personally recommend Next DNS because they have a variety of built-in filters for blocking known malicious domains, new domains that have been recently registered, and TLDs altogether. A company known as SpamHouse keeps a list of top-level domains that have appeared on the most malicious website extensions. If you would like to access a website that you are aware is legit, you can whitelist it as needed. There is also a setup guide. Next DNS is priced at $1.99 per month. Plans also vary based on your needs. In addition, there is also a free plan. However, there are limitations. For information on Next DNS’ pricing, click here. If you’d like to see more articles pertaining to cybersecurity, keep reading and visiting my website. You can also read the inspiration source where I conducted my research.
