Google has been marketing the new .zip domain (TLD) since the beginning of May. They cost as little as $15 a year, but could quickly make millions for cybercriminals. Since May 2023, more than 10.000 .ZIP domains have already been registered. Because: E-mail recipients think they see a ZIP file, but for them a link to a dangerous .zip website.
Talos researchers took a closer look at the new .zip domains. Analyzing telemetry data, they've noticed patterns that don't bode well. Because the new ending seems to be attracting hackers across the board. The problem lies in the fact that the new TLD has the same name as the well-known “.zip” file format, which cyber attackers cleverly exploit.
Confusion: .zip link instead of .ZIP file
🔎 The new special zip domain is extremely popular as hackers will exploit it (Picture: Cisco Talos)
For example, they register URLs that appear to be compressed files. Since May, however, file managers such as Windows Explorer or certain messenger services have correctly identified this name as a URL and redirected the user to the malicious website behind it. The user hardly notices anything - unless he counts the number of clicks on a file name. In some cases, this has already led to unwanted data leakage.
"As long as the new TLD isn't widespread, .zip domains can be blocked," says Thorsten Rosendahl, technical leader at Cisco Talos in Germany. “However, if more companies introduce .zip, blocking an entire TLD is hardly practicable. In any case, SOC operators must monitor their network traffic much more intensively and inform employees about the dangers of .zip domains.”
More at Cisco.com
About Cisco Cisco is the world's leading technology company that makes the Internet possible. Cisco is opening new possibilities for applications, data security, infrastructure transformation and the empowerment of teams for a global and inclusive future.