On May 3rd, Google Registry launched eight new top-level domains (TLDs) “for dads, grads and techies”, including a .zip TLD. While these new TLDs come with benefits such as automatic inclusion on the HSTS preload list, the launch of new TLDs has always presented cyber criminals with the opportunity to register domains in bad faith.
Parts of the security community, such as the SANS ISC, have already identified the potential for fraud via the potential conflation of a universally known file extension (.zip) with a TLD. TLDs overlapping with file extensions is not a new problem: .com is also an executable format, .pl represents both Poland and Perl scripts, and .sh represents Saint Helena and Unix shell scripts.
Earlier this week, we investigated existing registrations using the .zip TLD and confirmed that there is already evidence of fraudulent activity.