Google released a .zip web domain and people can't decide if it's the phishing apocalypse or just as bad as any other dodgy link

Google Chrome browser bar with pcgamer.zip address typed in it
(Image credit: Google)

Google is offering a new .zip web domain for users who want people to know they're "fast, efficient, and ready to move." It sounds mostly okay on paper, but due to the similarities between this domain and a popular zipped file format, there are concerns that this could become one of the easiest ways to dupe web-goers into downloading dodgy files.

You can see why there have been concerns about the new .zip top level domain (TLD). Say you're looking to download the CPU-Z software, you'd expect to land on the CPUID website at the URL: www.cpuid.com/downloads/cpu-z/cpu-z.2.05-en.zip.

What Google's new .zip TLD will allow for are links that look very similar but are incredibly dangerous dupes. For example, and this link goes nowhere but there's still no need to try it:  www.cpuid.com/downloads/cpu-z∕@cpu-z.2.05-en.zip.

Most web-savvy users would probably notice the rogue @ in there and think twice before clicking on that URL, but you might not notice the Unicode character U+2215, which tries to masquerade as a forward slash. Cheeky.

As security researcher bobbyr points out in their Medium blog post, most modern browsers will disregard the information before the @ and only listen to the hostname following it. That means if you were to put in https://google.com@bing.com, most browsers would direct you to bing.com. If you were to add forward slashes into the URL before the @, you'd actually see the reverse happen: https://google.com/search@bing.com will take you to Google.

That's where unicode characters U+2215 and U+2044 come in. These look a lot like forward slashes, but they're not. And they're supported in hostnames. That means you could create a fake URL that appears pretty genuine and which could send a user to a dodgy .zip url pretending to be a legitimate download. That domain could then host an actual .zip file with just about anything in it, including malware.

It's kinda convoluted , but you can see the potential issue here, especially if someone's not particularly internet savvy or in a rush.

Not everyone agrees that this represents a new breed of phishing attack, however. Another Microsoft employee, and the creator of HaveIBeenPwned, Troy Hunt, suggests there's nothing new here to worry about. 

Hunt goes back to the argument that, ultimately, humans are "bad at URLs and TLDs don't matter." They suggest that most people have no idea when they're presented with a deliberately deceptive address, whether the file looks like a .zip file or not. 

"Most people have no idea when a feasible *looking* URL is completely wrong," Hunt says.

Your next machine

(Image credit: Future)

Best gaming PC: The top pre-built machines from the pros
Best gaming laptop: Perfect notebooks for mobile gaming

But the key thing is that this isn't really so much an issue for security researchers. They'll almost certainly catch it. The issue are the less tech savvy internet users out there—.zip has become so synonymous with a file format, it does feel unnecessarily confusing to make it into a web domain, too.

The guidance to help users avoid .zip phishing attacks laid out in the Medium blog post is absolutely valid. You should keep an eye out for false characters in URLs, domains with @ symbols followed by .zip files, and to be careful when downloading files sent by unknown recipients. 

In fact, that last one is really the best advice out there for avoiding getting phished. Scams pretending to be from known companies, services, or even people you know are some of the most dangerous. 

You don't need me to tell you this, but always be wary of what links you're clicking on.

Google's response

Google has responded to concerns regarding the .zip domain with the following statement.

"The risk of confusion between domain names and file names is not a new one.  For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip. At the same time, new namespaces provide expanded opportunities for naming such as community.zip and url.zip. Google takes phishing and malware seriously and Google Registry has existing mechanisms to suspend or remove malicious domains across all of our TLDs, including .zip. We will continue to monitor the usage of .zip and other TLDs and if new threats emerge we will take appropriate action to protect users."

Make what you want of that. It's my opinion that .zip domains will end up being like any other, and just as dangerous as any other in the wrong hands, but I'm still not convinced there was any genuinely good reason to make a .zip domain in the first place.

TOPICS
Jacob Ridley
Managing Editor, Hardware

Jacob earned his first byline writing for his own tech blog. From there, he graduated to professionally breaking things as hardware writer at PCGamesN, and would go on to run the team as hardware editor. He joined PC Gamer's top staff as senior hardware editor before becoming managing editor of the hardware team, and you'll now find him reporting on the latest developments in the technology and gaming industries and testing the newest PC components.