• Google’s recent offering of the “.zip” top-level domain (TLD) has led security researchers and likely threat actors to register numerous domains for red teaming and phishing attacks, respectively, causing new challenges for organizations and cybersecurity professionals.
  • As a result of user applications increasingly registering actual “.zip” files as URLs, these filenames may trigger unintended DNS queries or web requests, thereby revealing possibly sensitive or internal company data in a file’s name to any actor monitoring the associated DNS server.
  • Leaked filenames can be extremely valuable to advanced adversaries who may use this information in a variety of ways, including in lures masquerading as internal company documents and archives for social engineering and infecting targets.

Top-level domains and file extensions

As a result of Google’s announced sale of new TLDs that are also popular file extension formats, there is an increased risk with the deployment of the “.zip” domain that threat actors will develop new vectors for compromising victims. In early May 2023, Google released eight new TLDs, marketing the “.zip” domain as a way of letting an audience know that a domain’s owner is “fast, efficient, and ready to move.” However, the move presents serious concern that domains using the “.zip” filename format could be confused with legitimate filenames, and vice versa, compounding the problem of users recognizing potential phishing attempts.

Google Domains page for the new “.zip” TLD showing prices to acquire a new domain.

In a very short period of time, the general availability of the “.zip” TLD has led to a suspiciously high volume of domains being registered that resemble a wide variety of internal company filenames. Owning and controlling these domains can benefit attackers by leaking filenames via automatic DNS resolutions or using these domains as launch points for potential exploits and malware artifacts. Cisco’s Umbrella telemetry and open-source research indicate that many of these domains may be used for malicious attacks in the future.

Aggregate data for new domains registered under the TLDs offered by Google since May 3, 2023, shows that “.zip” is the most popular extension by a large margin:

Domaintools statistics of new domains registered for each new TLD offered by Google since May 3, 2023, show the “.zip” TLD outpacing all others.

The significantly greater popularity of the “.zip” TLD is likely due to the fact that “.zip” is a common file format used in phishing attacks and malware delivery. Security researchers have already highlighted several recently registered “.zip” TLDs with domain names commonly used in phishing attacks:

A list of domains likely registered by security researchers or possible threat actors, likely with the intention to use as phishing domains.
Security research group VX-Underground showing an example of a domain that can be used for phishing.

How URLs based on filenames can leak information

Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update[.]exe[.]zip” to a hyperlink pointing to the URL “https[://]update.exe[.]zip”:

Chat application changing a filename to a URL.

In this case, even mentioning a valid filename in a chat could trigger a DNS lookup and leak internal filenames to whoever controls that domain’s DNS server. In other cases, if the user searches for a “.zip” file that doesn’t exist in Windows Explorer, the application will search online for the file and may reach the domain instead.

Researcher disclosing an issue with Windows Explorer opening “.zip” files as a URL.

In an information leak scenario, a malicious user in control of a “.zip” domain’s DNS server filters requests by the network of the companies they’re targeting and collects internal filenames, providing possible leverage during an actual attack. MITRE even describes some of these activities in the ATT&CK Framework as part of the Reconnaissance Tactics, like T1589 and T1591, which describe techniques to gather information about a target user and the corporation itself.

Observations in the wild

When Google announced its offering in early May 2023, Talos began monitoring telemetry data for occurrences of “.zip” usage in URLs. We observed a wealth of filenames being queried against various “.zip” domain names containing all kinds of information. For example, Cisco Umbrella DNS data reveals many filenames that could indicate phishing attempts, like the domain “secure-access-4a907q5xsg5q5354[.]fbmsg[.]xyz[.]zip”, as well as many file names similar to the ones used in malware campaigns (e.g., “report_<random_numbers>[.]pdf[.]zip”).

Snippet of Cisco Umbrella DNS data showing queries for “.zip” domains in a 24-hour period.

Our data shows occurrences of real filename resolutions containing potentially internal and sensitive information, such as project names, personally identifiable information (PII), geography and order or contract names and numbers – basically anything that can be used in an effective lure by threat actors in a future attack, judging from DNS query data.

Filename

Possible information leaked 

Expressvpn_windows_12.49.0.4_release.***.zip

Old versions of applications in use inside the corporate network

Hsbc_tradinghub_equity_orders_20230511.***.zip

Potential business relationships

Sx_corporateaction_id000xxxxxxx_0.***.zip

Employee/User ID

Djsb_labour_market_data_-_employment_data_summary_sa4_2018.***.zip

Corporate information

fitbitcofceva_000xxxxxxx_20230303_xxxxxxxxxx.***.zip

Personal user identification information

Examples of filenames found in DNS query data. Some information has been obfuscated to avoid showing potential identifying information.

What users can do

Many cybersecurity professionals currently recommend that companies completely block “.zip” domains at their firewalls. Although this tactic may be currently sufficient since the usage of the “.zip” TLD is not yet widespread, that may not be the case in the future. As more companies begin adopting “.zip” domains, blocking an entire TLD would not be feasible. In any case, SOC operators will need to be aware of the risks of information leaks and phishing attempts using these domains and will have to adapt their tools to monitor for such events.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. Cisco’s Umbrella customers may use wildcards in destination lists to block the “.zip” TLD and open specific domains on a case-by-case situation depending on their users' needs. More information about this can be found in Umbrella documentation.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following Snort SIDs are applicable to this threat: 61861 - 61864.