![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/zip-and-mov-domains-cause-confusion-600x300-v2.png\")
<\/p>\n<\/p>\n
Back in 2014, Google became the owner of several new “top-level domains.” Called a TLD for short, a top-level domain is the “dot-something” at the end of a domain name, for example .com or .net.<\/p>\n
Two of the new TLDs that Google registered were .zip<\/strong> and .mov<\/strong>. You probably recognize that .zip is also a file name extension; when you download software from the Internet, it often comes bundled in a .zip archive. You may also recognize .mov as a common file name extension for video files, typically in an Apple QuickTime compatible format.<\/p>\n It’s hard to imagine exactly what Google was thinking. Giving the company the benefit of the doubt, perhaps they had altruistic motivations; maybe in 2014 they registered these TLDs to prevent bad guys from buying them up and abusing them. But then, just this week, Google opened the floodgates<\/strong> and began allowing the general public to register their own domains using these TLDs.<\/p>\n Could this really be so bad? Is there any reason such domains might be potentially dangerous? Let’s explore why .zip and .mov domains may put you at risk of phishing or malware attacks.<\/p>\n In this article:<\/em><\/p>\n One major problem with these new TLDs is that, depending on which app or site you use to check your e-mail, or which forums, social networks, or messaging apps you use, simply typing a file name may change your plaintext words into a link that the recipient can click or tap on\u2014even if you didn’t intend for that to happen.<\/p>\n Take Twitter, for example. If you were to send someone a direct message and let them know you just sent them a file called Example Twitter DMs with .zip and .mov filenames automatically displaying as clickable links. What could possibly go wrong?<\/p><\/div>\n Of course, you have no idea who owns such domains, or what would happen if you tapped or clicked on such links. And presumably, your recipient’s natural inclination will be to tap on those links to attempt to view the desired content.<\/a><\/p>\n Security researcher Robert Graham observed<\/a> that, due to an erroneous interpretation of a Web standard, browsers often allow http:\/\/ and https:\/\/ links to include a So how does this relate to .zip and .mov domains? Researcher Bobby Rauch noted<\/a> that, by using lookalike characters, attackers can trick victims into visiting URLs ending in .zip that appear to be hosted on known-legitimate sites, like GitHub. In reality, the domain might actually be the “.zip” that appears to be part of the file name. A site hosted at that .zip domain could potentially be designed to automatically download a .zip file upon visiting the link, so the user would be none the wiser.<\/p>\n Thus, it would be possible to trick a user into thinking they got a legitimate download from GitHub, when they may have actually downloaded Trojan horse malware instead.<\/p>\n An example fake download URL that would lead to a .zip domain. Credit: Hussein Nasser<\/a>.<\/p><\/div>\n This isn’t the first time that the Having way too much fun with @faker_<\/a>'s iOS 11 QR code vulnerability. \ud83d\ude1c#Apple<\/a> #iOS<\/a> #iOS11<\/a> #QRcode<\/a> #vulnerability<\/a> pic.twitter.com\/sGDJq7bS0q<\/a><\/p>\n — Josh Long (the\u00a0JoshMeister) (@theJoshMeister) April 14, 2018<\/a><\/p><\/blockquote>\n\n
Apps and sites may turn .zip or .mov filenames into automatic links<\/h3>\n
invoices.zip<\/code>, Twitter automatically turns it into a link to http:\/\/invoices.zip<\/code> \u2014 without asking for confirmation or giving you the opportunity to remove the link. This is true regardless of whether the sender or recipient uses the Twitter app or a browser. Similarly, if you DM someone who’s at your home and tell them to open a movie file in your home theater library, say encanto.mov<\/code>, Twitter will turn that into a link to http:\/\/encanto.mov<\/code> as well.<\/p>\n![\"Twitter](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/twitter-dm-examples-zip-mov-domains.png\")
Is that long URL a link to a .zip file, or to a .zip domain?<\/h3>\n
username:password@domain.tld<\/code> format. As Graham points out, those who wrote the standard never intended for Web links to include usernames and passwords. And yet, most browsers have always supported this type of link.<\/p>\n![\"Example](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2023\/05\/fake-download-url-leading-to-zip-domain-by-hnasr.png\")
username:password@domain.tld<\/code> format in URLs has led to a potential security risk. Back in iOS 11, when scanning a QR code, the Camera app would misinterpret domains<\/a> in such a way that the app would show a false domain in the scan preview.<\/p>\n\n