In an ambitious move to expand the Internet’s territory, Google has recently rolled out eight new top-level domains (TLDs), a measure that has provoked apprehension amongst security experts. They worry that two of the new domains could inadvertently become a breeding ground for online fraudsters who trick users into clicking harmful links.
In the nascent years of the Internet, TLDs—the farthest segment to the right in a domain name—were designed to categorize domains by purpose, geographic location, or proprietorship. Early TLDs such as .com indicated commercial entities, .edu pointed to educational institutions, .org represented non-profit organizations, and so forth. Numerous country codes such as .uk, .ng, and .fj also emerged as identifiers of geographic regions.
Fast forward to the present day, with a plethora of over 1,480 TLDs available, a statistic confirmed by the Internet Assigned Numbers Authority (IANA), the entity responsible for overseeing the DNS Root, IP addressing, and other Internet protocol resources. Google’s recent contribution to this growing list has raised eyebrows in the cybersecurity community, particularly the .zip and .mov TLDs. Google’s marketing team posits that these domains are meant to signify “tying things together or moving really fast” (.zip) and “moving pictures and whatever moves you” (.mov).
Yet, these suffixes already bear a different connotation within the Internet ecosystem. .zip and .mov are known extensions for archive files using the zip compression format and video files created in Apple’s QuickTime format, respectively. Security experts fear that these new TLDs could become a source of confusion, particularly when displayed in emails, on social media, and other platforms.
There is a growing concern that scammers could exploit this confusion, given the automatic transformation of strings such as “setup.zip” or “vacation.mov” into clickable links in emails or social media posts. These seemingly innocuous file names could lead users to harmful domains controlled by fraudsters, warns Randy Pargman, Director of Threat Detection at security firm Proofpoint. This potential threat scenario poses a considerable risk of undoing years of anti-phishing and anti-deception awareness efforts.
Scammers could, for instance, exploit a domain such as photos.zip to lure users into their trap. Traditionally, the string “photos.zip” would have appeared as plaintext. However, in the wake of Google’s move, numerous platforms are now rendering these as clickable domains. Users might inadvertently visit a fraudulent website under the assumption that they are accessing a photo archive from a known source.
Additionally, cybersecurity researcher Bobby Rauch showed how a clever misuse of the .zip TLD could generate a deceptive URL that could easily dupe any unsuspecting user. His demonstration involved the creation of a URL that appears almost identical to a legitimate one, except that it directs to a potentially malicious site.
Google, however, has defended its decision to introduce these TLDs, pledging to monitor their usage for potential threats. It emphasized that measures like Google Safe Browsing would keep any abuse at bay by warning users of malicious websites and downloads.
Despite Google’s assurances, the decision to introduce .zip and .mov TLDs appears to defy the established norms of domain naming conventions. This move is now prompting a debate amongst engineers overseeing these conventions, some of whom have proposed the removal of these TLDs from the public suffix list (PSL)—a machine-readable list of all known DNS public suffixes and their rules. However, consensus on this issue remains elusive, given the potential instability and disruption that removing ICANN-approved TLDs could cause.
