Checking your email inbox or navigating the Internet are daily tasks. For some of us, it’s done first thing in the morning, whilst still in bed,you scroll through, catching up on news and messages from overnight; important updates from your job, medical insurance, doctor, etc. You barely think about the dangers opening those messages involve, but the reality is that opening emails and clicking on URLs can hide very big threats to your security and privacy. But how are emails related to the .zip domain? Why should you avoid .zip domains at all costs? Let’s explore it!
Why are .zip domains dangerous?
The main problem with .zip domains is that they can be used for phishing attacks and other malicious activities. For most people, .zip is deeply associated with the popular compressed file format. Then using .zip as a TLD (Top Level Domain) of course can lead to confusion and potential misuse.
Let’s face it; most Internet users are not tech-savvy. They see text within an email that says image.zip as an attachment inside the email rather than a link to a site, but the truth is that it this could be a link to a legitimate site or even dangerous domain.
Do you want to know more about TLDs and DNS? Read about DNS.
A big problem is that many programs and web applications auto-convert domains to links automatically. Imagine if you are reading a tutorial, and there is a mention of files.zip. You can naively click on it, thinking it will lead you to the local files, but actually you’l be redirected to the domain files.zip. The same can happen inside your email inbox, social media, message apps, e-book reading apps, and more.
Because of that problem, many people can click on a message that leads to a .zip domain and blame the person who wrote the message.
Imagine the scenario: You are sending an email to your client, and you write the following: “All the details about the deal are inside the file.zip attachment.”
The person on the other side will see “file.zip” as a link. He or she can click on it and be scammed and blame you for the bad experience even though you didn’t do anything wrong.
And let’s not talk about older Internet-users. Have you seen how your grandparents use emails and communications in general? It will be mission impossible to explain the problem to them.
So, how bad could it be if you clicked on a .zip domain?
What can happen if you click on a .zip domain?
• Distribution of malware. Cyber attackers can easily buy a .zip TLD for hosting and spreading malware. They can take advantage of the conceptual link users have in mind between .zip and downloadable files. Once clicked, it could infect systems. That way, the infected device could be in danger and even become a part of a botnet DDoS attack (learn what is DDoS attack).
• Misdirection. Again, using this confusing .zip TLD, criminals could mask their evil purposes and use it to redirect users to their malicious sites.
• Phishing attacks. The previous points clearly point to the benefits of phishing attacks. .zip can trick users into thinking they are downloading a common .zip file when they are truly getting a ride to a dangerous site. It can also redirect the user to a site, controlled by cybercriminals, and the user’s data can be at risk.
If you are wondering what phishing attacks are, they are fraud activities, that have the goal to mislead the victims, and get their sensitive data, or install malicious software on their devices. Read more about the phishing attacks here.
Phishing attacks using .zip domains.
The following two examples are different in many ways:
• https://somesite.com∕directory∕tags∕@Do-not-click-here.zip
• https://somesite.com∕directory∕tags∕Do-not-click-here.zip
The first will lead you to the Do-not-click-here.zip domain, while the second will lead you to the Do-not-click-here.zip file, on somesite.com.
The browser recognizes the @ symbol and starts counting the URL from there, leaving all the previous parts. The previous information is taken as user information, and the “@”, as start of the hostname.
Since the links usually have this symbol “/”, it pushes the browser to parse everything after the forward slash as a path. Criminals need to use a very similar looking one “∕”(U+2215) to confuse you and stop the browser from doing the previous action.
That way, you might think you are going to one link, but you are actually going to the URL, that is after the “@” symbol which could be a trap.
You can see the true URL when you hover over the link on a computer, which – unfortuantley – you can’t do on a phone, so if you’re worried, it’s best to wait until you’re on a computer and check the links.
The problem is that we are not always so careful, and we often make mistakes.
You can read about it in Bobbyr’s post here.
But can we truly avoid the problems with .zip domains?
How to stay safe from .zip domains?
• Always hover over a link, to make sure where it will lead you. On a computer, you can hover over any link, and you will see where it will lead you in the down left corner. If the text of the link and the direction it leads don’t match, better don’t click on it.
• If you see an at sign (@), be extra careful. The actual link will start from the “at” symbol, and not from the beginning of the text. By clicking these links, you can easily go to a URL trap.
• Ban all .zip domains on your device. On Windows 10 Pro and Windows 11 Pro, you can create a policy that redirects all .zip domains to 127.0.0.1 or use a DNS service to block them.
These are the best ways to stay away from the .zip domains.
What .zip domains are already registered?
There are more than two thousand .zip domains already registered. Here are just a few:
• backup.zip
• bankinfo.zip
• caches.zip
• cloud.zip
• file.zip
• archive.zip
• app.zip
• homework.zip
• and more.
We managed to find a full list of all .zip domains in the profile of Trickest on GitHub. The list is constantly updated. If you are interested, you can check it out here. As you can see, there are many dangerous .zip TLDs already registered so you should be careful.
Whose fault is it?
Why is Google to blame for .zip domains?
Because Google introduced this domain to the world. The company got the rights to offer such TLDs from Internet Corporation for Assigned Names and Numbers (ICANN). Any company can get a new generic TLD and start registering domain names after it buys the rights from ICANN. Before Google, no company got the right to this particular TLD.
Who allowed this to happen?
Internet Corporation for Assigned Names and Numbers (ICANN) is the organization that allows new Top Level Domains (TLDs). ICANN serves to oversee the complex connections between networks and devices that allow the Internet to exist. We mentioned them in our article about the Russian Internet Runet.
Google was interested in the .zip TLD and made an offer to be the registrar for it which ICANN approved. People from ICANN didn’t think anyone would write a .zip domain into the address bar so it wouldn’t be dangerous – a very naive idea, (or maybe more like a very cheap excuse?). As we already saw, it is not about people writing it on the address bar.
How is Google defending itself about the .zip scandal?
In a press statement, Google mentioned that the risk of confusion between domain names and file names has been around for a long time. The company mentioned that the .com domain uses the same .com extension as some files from the era of MS-DOS and early versions of Windows. But honestly, that happened around 30 years ago, and you can’t use it for a proper comparison.
When did Google start selling .zip domains?
Google started offering .zip domains, together with .dad, .phd, .prof, .esq, .foo, and .mov. on May 3, 2023. The base price for registering such a domain name is $30 per year.
Is somebody doing something to stop .zip domains?
White hats (read about the hackers’ types) are registering the domains to take them out of the market.
There are developers, “good” hackers, and security companies, that prefer to pay a small fee for a few domain names, and that way to keep these domains inactive.
Some companies, like us, are trying to inform the public about the potential risks and how to avoid them.
Why should you not buy a .zip domain for your business?
• Ban from Antivirus companies. They can ban all .zip domains, just to keep their users safe. Instead of banning each .zip domain one by one, they can decide to ban all of them and forget about this worry. You can create a .zip site and later you can be left with a banned .zip site. This will result in zero traffic to your site and you may need to rebrand.
• Users can use policies to ban .zip domains. Individuals can manually ban all .zip domains on a computer or inside a particular browser. That way, the user won’t be able to access any of them.
• Warnings. Some browsers can show a warning sign telling the users that a particular site could be dangerous which can scare off visitors.
Are there any other potentially dangerous domain extensions?
Yes, .mov is another one. It is an extension that can easily be mistaken for a video file since there is a file with a .mov extension. The .mov video files were introduced by Apple in 1998 and are still in use. It can lead to the same type of problems.
Conclusion
Basically, stay away from .zip domains at any costs. Never buy a .zip domain, nor click on a .zip domain. Also, pay attention to this case and be careful with other domains, that can use the same trick like some uses of the .com domain, .mov domain, or others. Be vigilant. When you doubt about a link, use a computer instead of a smartphone, and hover over the link to see where it leads, and then decide if you should click.