It has been six months since Netcraft first reported on abuse of the new .zip TLD, outlining the fraudulent activity we detected and blocked. Within weeks of its launch, Netcraft had detected many fresh .zip domain registrations designed to exploit confusion between the new TLD and the .zip file extension for ZIP archives.
So, what has changed in the last 6 months? Not much, it seems.
The rate of new .zip domains registrations has declined since our previous blog post. Despite this, there are now:
Out of these domains, we discovered 5 serving zip bombs. In addition, the larger number of distinct IP addresses (1 for every 4 domains now, compared to 1 for every 6 domains six months ago) suggests that .zip domains are becoming more diverse.
Netcraft has blocked 50 malicious .zip domains since the previous post on 17 May 2023, bringing the total to 56. These domains mostly impersonate Microsoft, Google, and Steam, as the following figure illustrates:
Other notable attacks include:
We’ve also detected:
As we mentioned in our original blog post, we’ve also continued to see websites that raise awareness about the possible dangers of .zip domains. For example, Mrd0x[.]zip is a fake WinRAR window that demonstrates how users may be tricked into thinking they have opened a zip file, when in fact they are downloading malware.
V187[.]zip demonstrates how sites can also be displayed in a popup window, making the deception even more convincing.
Office365[.]1[.]14[.]win-x86[.]zip also warns users about the dangers of the .zip TLD. Unlike the majority of these ‘altruistic’ sites warning about the dangers of clicking on unsolicited links, Office365[.]1[.]14[.]win-x86[.]zip displays a fake GitHub page to make the download appear legitimate.
The page immediately downloads a .zip file containing a ‘warning’ message.
Perhaps encouragingly, a much larger number of .zip websites warned visitors about the dangers of the .zip TLD deceptions, compared to the number that hosted malicious content. Having said that, these altruistic sites are using the same tactics that criminals themselves rely on, potentially providing reusable code and new ideas for fraudsters.
Our position at the epicentre of the battle against cybercrime allows us to rapidly identify, monitor and react to new threats, like those identified in this post. We continue to monitor for malicious content on .zip and other new TLDs. The Netcraft browser extension and mobile apps block the .zip threats described in this post, and will block new threats as we discover them.
We offer solutions for domain registries and domain registrars, including real-time alerts or takedowns for fraudulent content found on your TLD/infrastructure and a tool for analysing the likelihood that a new domain name is deceptive and will be used for fraud.
Netcraft is the world leader in cybercrime detection, disruption, and takedown, and has been protecting companies online since 1996. We help organizations worldwide (including 12 of the top 50 global banks) and perform takedowns for around one third of the world’s phishing attacks, taking down 90+ attack types at a rate of 1 attack every 15 seconds. Our malicious site feeds protect billions of people around the world from phishing, malware, and other cybercrime activities.
Click to Open Code Editor