On Wednesday 3 May 2023, Google introduced eight new top-level domains (TLD) available for purchase and that could be used with websites and/or email addresses. From these eight new TLD’s, one that stands out as a potential security risk is .zip.
The .zip TLD is concerning since it is also used as an extension of files commonly shared over the internet. With the inclusion of .zip as a domain, email clients and web platforms will now accept URLs disguised as filenames with .zip extensions. A threat actor could theoretically purchase a .zip domain with the same name as a commonly used filename, such as “update.zip “, and have a victim mistakenly visit the site during a phishing campaign to download malware.
Arctic Wolf has identified some .zip domains being abused for successful phishing campaigns leveraging popular office software suite filenames already. Based on tactics, techniques, and procedures (TTPs) we’ve seen in phishing campaigns in the past, we expect more threat actors will continue to use these TLD’s for their phishing domains in the near future.
Arctic Wolf has multiple detections in place for suspicious activity on email accounts associated with phishing. We continue to actively monitor for tactics, techniques, and procedures (TTPs) associated with campaigns that may arise from these TLD’s.
When it comes to preventing phishing or other forms of social engineering attacks, the most important factor is awareness and knowledge. If your users are aware that these types of attacks exist, they may be less likely to become a victim of them.
Recommendation #1: Block ZIP TLD’s at your Organisation
Arctic Wolf strongly recommends assessing the need for allowing access to .zip TLDs in your organisation. If your organisation does not have a business need for accessing or using these new TLD’s, consider blocking them at the Network Firewall, DNS, or Web Proxy level and allowlist domains on an “as-needed” basis.
Recommendation #2: Provide User Awareness Training
Provide tailored user awareness training to all employees around phishing campaigns and social engineering attacks.
- Ensure users know how to identify a phishing email and where to report it.
- Provide examples on what users could expect and remind users to remain vigilant when receiving an email from an unknown or external source.
- Be wary of messages that create a sense of urgency and ask you to do something quickly.
- Be cognisant that threat actors may use personal social media accounts or text messages to contact you.
- Review policies for verification of any changes to existing invoices, bank deposit information, and contact information.