Google released a .zip web domain and people can’t decide if it’s the phishing apocalypse or just as bad as any other dodgy link

Google is offering a new .zip web domain for users who want people to know they’re “fast, efficient, and ready to move.” It sounds mostly okay on paper, but due to the similarities between this domain and a popular zipped file format, there are concerns that this could become one of the easiest ways to dupe web-goers into downloading dodgy files.

You can see why there have been concerns about the new .zip top level domain (TLD). Say you’re looking to download the CPU-Z software, you’d expect to land on the CPUID website at the URL: www.cpuid.com/downloads/cpu-z/cpu-z.2.05-en.zip.

What Google’s new .zip TLD will allow for are links that look very similar but are incredibly dangerous dupes. For example, and this link goes nowhere but there’s still no need to try it:  www.cpuid.com/downloads/cpu-z∕@cpu-z.2.05-en.zip.

Most web-savvy users would probably notice the rogue @ in there and think twice before clicking on that URL, but you might not notice the Unicode character U+2215, which tries to masquerade as a forward slash. Cheeky.

As security researcher bobbyr points out in their Medium blog post, most modern browsers will disregard the information before the @ and only listen to the hostname following it. That means if you were to put in https://google.com@bing.com, most browsers would direct you to bing.com. If you were to add forward slashes into the URL before the @, you’d actually see the reverse happen: https://google.com/search@bing.com will take you to Google.

That’s where unicode characters U+2215 and U+2044 come in. These look a lot like forward slashes, but they’re not. And they’re supported in hostnames. That means you could create a fake URL that appears pretty genuine and which could send a user to a dodgy .zip url pretending to be a legitimate download. That domain could then host an actual .zip file with just about anything in it, including malware.

It’s kinda convoluted , but you can see the potential issue here, especially if someone’s not particularly internet savvy or in a rush.

Not everyone agrees that this represents a new breed of phishing attack, however. Another Microsoft employee, and the creator of HaveIBeenPwned, Troy Hunt, suggests there’s nothing new here to worry about. 

Hunt goes back to the argument that, ultimately, humans are “bad at URLs and TLDs don’t matter.” They suggest that most people have no idea when they’re presented with a deliberately deceptive address, whether the file looks like a .zip file or not. 

“Most people have no idea when a feasible *looking* URL is completely wrong,” Hunt says.

But the key thing is that this isn’t really so much an issue for security researchers. They’ll almost certainly catch it. The issue are the less tech savvy internet users out there—.zip has become so synonymous with a file format, it does feel unnecessarily confusing to make it into a web domain, too.

The guidance to help users avoid .zip phishing attacks laid out in the Medium blog post is absolutely valid. You should keep an eye out for false characters in URLs, domains with @ symbols followed by .zip files, and to be careful when downloading files sent by unknown recipients. 

In fact, that last one is really the best advice out there for avoiding getting phished. Scams pretending to be from known companies, services, or even people you know are some of the most dangerous. 

You don’t need me to tell you this, but always be wary of what links you’re clicking on.

About Post Author

See author's posts