A new set of top-level domains from Google is putting internet users at significant risk of scams and phishing attacks, experts warn.
Top-level domains, or TLDs for short, are the rightmost portion of a domain name commonly used to denote the purpose or geographic region of a given domain, for example, .com or .au.
Earlier this month, Google introduced eight new TLDs – among them were relatively innocuous extensions such as .dad, .phd and .nexus – however, two of the TLDs (.zip and .mov) are raising serious alarms in security circles.
Most would recognise .zip from the end of zip archive files, or .mov from video files such as Apple's QuickTime format.
While TLDs are typically designed to be intuitive and distinguishable from non-website text, Google's .zip and .mov notably share an identical suffix to these popular file types, and experts are pointing out a likely appeal for scammers looking to misdirect users to malicious websites.
Many websites and apps automatically convert URL-like text such as ia.acs.org.au or example.com into clickable links which direct to a website, so what now happens when someone shares a .zip or .mov file?
Scammers already scamming
Given these are now valid domain extensions in addition to common file names, experts fear emails, browsers and social media will automatically convert .zip and .mov text into clickable links – enabling scammers to exploit users via misleading URLs.
Theoretically, a scammer could impersonate a loved one sharing family photos such as easter-2023.zip or wedding-video.mov, redirecting to dodgy websites of the same name.
"This certainly seems irresponsible, " said .au policy expert and product manager at domain management platform Above.com, Anthony Peake.
"It is well documented already how easy it is to confuse people with new extensions and these two are certainly going to increase that risk more than any before," he added.
In fact, researchers at cyber security firm Silent Push Labs have already discovered potential Microsoft phishing pages abusing Google's new .zip TLD, microsoft-office[.]zip and microsoft-office365[.]zip.
"We're closely monitoring all activity from suspicious registrations using the new TLDs," Tweeted Silent Push Labs.
"We see highly exploitable domains hosting awareness pages for .zip/.mov TLDs abuse."
Is there enough oversight?
The tech giant's representatives staunchly defended its new TLDs, and directly addressed concerns in a statement from a Google spokesperson.
"The risk of confusion between domain names and file names is not a new one," they said.
The statement suggests abuse will be reined in by browser tools such as Google Safe Browsing, which warns users away from malicious websites and file downloads.
"For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows. Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip."
Cyber security expert and creator of the Have I Been Pwned website, Troy Hunt, further suggested concerns over the new TLDs are overblown.
"This is interesting reading regarding the .zip TLD. However, it's of near zero consequence to phishing attacks," said Hunt.
"Short of a programmatic string comparison with a known good URL, you almost certainly have no idea when you're looking at a deliberately deceptive address. You don't and I don't so most people *definitely* don't!”
While new TLD initiatives are not a novel concept, others still fear .zip and .mov create unnecessary risk and that Google's proposed safety mitigations are lacklustre compared to other domain offerings.
"Within the .au direct namespace we have relatively low incidences of scams due to the third-party oversight by auDA," said Peake.
"Of the 4,500 scam sites I have encountered this year alone, every single one was sending data to free @gmail.com accounts.
"Google is notoriously lax with their oversight unless serious abuse is occurring or there is a significant amount of money being stolen."
Meanwhile, phishing methods using Google's new domains are already being discussed on popular hacking forums.
"The next logical step in this absurdity would be they create a .html, .htm, .php and .asp extensions?" said Peake.
"You really need an independent party not motivated by profit to oversee the registration patterns and reduce fraud and abuse.
"Google being both the cat and the mouse will not work," he added.