Watch Out for .zip and .mov Domains!

Last updated on May 19th, 2023 at 09:40 am

Brightly colored zippers — Photo ID: 7119352 © nito103/Depositphotos.com

Did you know anyone can now register a domain name that ends in .zip or .mov? That’s thanks to Google, who opened up registrations for these domain extensions earlier this month. This has riled up many in the security community, who warn that .zip and .mov domains can be used maliciously.

The potential for scams

The potential for malicious use comes from the fact that .zip and .mov are already common file extensions. A ZIP file is an archive used to compress files so they can be more easily transferred, while a MOV file is a video file.

Perhaps the most obvious way to exploit the dual nature of .zip and .mov is by making use of the fact that many email and messaging clients automatically turn URLs into clickable links.

Here’s a video I made to illustrate the potential for scams.

This means that if you send a zipped file of photos to your friends on WhatsApp and say, “I’ve saved the photos from our latest adventure in campingphotos.zip,” WhatsApp will automatically convert the “campingphotos.zip” into a clickable link because it is now a valid URL.

A screenshot from WhatsApp showing the following message:
zip campingphotos.zip 195mb.zip
I've saved the photos from our latest adventure in campingphotos.zip — I sent this message to myself in WhatsApp. It automatically turned the file name into a clickable link. Screenshot by Safe Not Scammed.

It will not, however, link to your zip file, but to the domain campingphotos.zip, which could be registered by anyone!

In this case, I registered the domain and set up a site on GitHub Pages to warn any unsuspecting visitors about potential scams.

Screenshot of the site I made at campingphotos.zip. It says "Watch Out for .zip Domains!" and displays a spooky AI generated photo of a skull and crossbones decorated with red and gray zippers. — A screenshot of the site I made at campingphotos.zip to warn people about how these new domains can trick people. Screenshot by Safe Not Scammed.

If the domain had been registered by a bad actor, however, clicking the link could automatically download malware to your friends’ devices. Or it could present a phishing page and tell them they need to sign into their Google account before downloading the file.

The great thing about such a scam, from a bad guy’s perspective, is that it is incredibly low effort. All a cybercriminal needs to do is register .zip or .mov domains corresponding to common filenames and set up some malicious sites. That’s it!

Scammers don’t even need to send out emails or texts trying to trick people into visiting their sites. That’s because we take care of that for them whenever we include a .zip or .mov file name in our messages. Worse, as these are genuine messages coming from us, not the scammers, the links will seem genuine, too.

How to protect yourself and others

You can protect yourself from these scams by not clicking on any clickable .zip or .mov file names in messages or emails you receive. Any such links will not take you to the .zip file you want to download, but to a completely unknown, suspicious website. Instead, click the attachment directly. However, only download attachments you know are safe!

You can help protect other people by not mentioning the .zip or .mov file name explicitly in your messages if you don’t have to. If you need to include the file names, try putting square brackets around the dot, e.g. writing campingphotos[.]zip instead of campingphotos.zip. This will stop your messaging software from making the file name into a link.