Google’s new ‘Zip’ domains exploited in phishing attacks

In May 2023, Google announced its launch of eight new top-level domains¹ (TLDs), which include .zip domains. Mere weeks after Google’s announcement, researchers reported that threat actors were already fraudulently registering .zip TLDs for use in phishing attacks. While new TLDs have traditionally presented threat actors with opportunities to register deceptively similar URLs, .zip TLDs are particularly problematic. The reason is that .zip TLDs increase the likelihood of fraud because .zip² is also used as an extension to indicate a file format for compression and archiving content. Threat actors may thus be able to convince victims to click on malicious domains by presenting them as .zip files.³

Researchers who investigated existing .zip registrations discovered evidence of fraudulent activity exploiting the newly created TLDs. Specifically, they found .zip domains being used as lures in phishing campaigns. As of mid-May, there were less than 5,000 registered .zip domains, which researchers determined corresponded with 838 distinct IP addresses. While five of the domains had been used in phishing attacks by unidentified attackers, none remained active as of May 23, 2023. The brands targeted by the phishing sites were Microsoft, Google, and Okta.

According to researchers who viewed the phishing pages when they were active, the goal of these mirror sites⁴ was to lure victims into entering login credentials. Attackers can use the credentials to access target networks, move laterally on them, steal sensitive data, and drop malicious software on victims’ systems. The design of each mirror site’s landing page appeared to incorporate Microsoft branding to convince victims that the replica .zip domains were actual corporate sites.

Among the identifiers of malicious activity observed by researchers was a message on a fake Microsoft login portal with the message “THIS IS FOR TESTING.” Similarly, another fake login page contained the message, “This is not a microsoft page.” Both messages were removed an hour after researchers first observed them, leaving highly realistic looking login portals, which indicated that the phishing pages had gone live. Researchers noted that the phishing pages used different hosting providers and were registered with different registrars, which led them to conclude different threat actors operated them.⁵

DIVING DEEPER

Cybersixgill detected significant activity related to Google’s new TLDs on underground sources, where threat actors discussed what to do with the new .zip domains. The following screenshot displays a post from an active member of a leading cybercriminal forum with a 7/10 reputation score. The forum member announced that he purchased a specific .zip domain and surveyed other forum members for their opinions about whether the .zip and .mov domains will be “high quality.”

While the forum member did not explicitly mention phishing attacks or other illegal activity in the post, another highly active forum member claimed that Google will reclaim the domain if it's used for “phishing and illegal crypto stuff.” Much of the discussion focused on reselling the domain, which would likely appeal to threat actors interested in operating phishing scams, who may be interested in purchasing it. In addition, a different forum member suggested creating a “CPA locker that is a link to a zip of a file program to send bitcoin to your wallet,” which appears to be a reference to potentially criminal activity.

Figure 1: Underground forum members discuss monetizing new .zip domains

In addition to posts on cybercriminal forums, Cybersixgill also observed a discussion on a cybercrime instant messaging channel about purchasing .zip domains. This channel was created by the administrator of a popular underground forum.

In the post below, a channel subscriber asked where .zip domains could be purchased using Monero (XMR), which is harder to trace than other forms of digital currency. While the subscriber’s motives cannot be conclusively established, requesting the information on a channel frequented by cybercriminals and asking to pay for .zip domains with Monero suggests a threat actor seeking .zip domains for malicious purposes.

This new PaaS tool could appeal to skilled malicious actors and beginners alike, providing an easy-to-use tool for stealing sensitive data while bypassing MFA protection mechanisms. Indeed, this tool appears capable of phishing campaigns that compromise Microsoft 365 accounts.

With Paas tools l closing the skill gap and providing novice attackers the means to steal data from valuable accounts, all organizations must instruct employees not to click on links or attachments in suspicious emails. Specifically, users should double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites. Finally, organizations should instruct personnel to exercise additional caution when using MFA codes for corporate services.

1. ^{Top-level domains (TLDs) are the uppermost portion of the Internet's hirearchical Domain Name Systemo(DNS), and can be found at the rightmost portion of the domain name (e.g., .com, .org, .net, etc.). Google's list of new TLDs in May 2023 consisted of .zip, .mov, .dad, .phd, .prof, .esq, .foo, and .nexus.}

2. ^{A .zip file compresses multiple files or directories into a single file, reducing overall size for storage or transfer.}

3. ^{Researchers identified several other TLD/extension overlaps, including .com (also an executable format), .pl (Poland TLD/Perl scripts), and .sh (Saint Helena TLD/Unix shell scripts).}

4. ^{Mirror sites, or mirrors, are replica sites operated by threat actors that impersonate legitimate websites.}

5. ^{Google Registry was notified and the domains now no longer resolve.}