Protecting Yourself from Potential Cyber Risks of New Google Top-Level Domains

Sai Prashanth

In a recent announcement, Google unveiled eight new top-level domains (TLDs) aimed at adding creativity and expressiveness to web addresses. However, security experts have expressed concerns about two of these TLDs, namely .zip and .mov. These TLDs share their names with common file extensions, potentially enabling malicious actors to exploit them for cyberattacks. This blog post aims to raise awareness about the associated risks and provide valuable tips to protect yourself in this evolving digital landscape.

Understanding the Cyber Risks:

The primary concern surrounding the .zip and .mov TLDs lies in the possibility of malicious actors leveraging familiar file extensions to deceive unsuspecting users. By registering websites under these TLDs, attackers could send phishing emails containing links to these malicious sites. These emails might appear as legitimate messages, such as invoices or video files, luring users into clicking on the malicious links. Once clicked, the user could inadvertently expose their computer to malware and other cyber threats.

Protecting Yourself:

To safeguard your online presence and minimize the potential risks posed by these new Google TLDs, it’s crucial to follow these proactive security measures:

  1. Exercise Caution with Email Links: Exercise caution when encountering links in emails from unfamiliar senders. Before clicking on any link, hover your mouse over it to reveal the full URL. If the URL appears suspicious or unfamiliar, refrain from clicking on it. Trustworthy organizations rarely send unsolicited emails with unexpected attachments or suspicious links.
  2. Deploy Anti-Phishing Protection: Utilize a comprehensive security solution that incorporates anti-phishing measures. This type of software can help identify and block malicious websites, preventing you from falling victim to cyberattacks. Consult reliable sources and choose a reputable security solution that suits your needs.
  3. Maintain Software Updates: Frequently update your software, including your operating system, web browser, and other applications. Regular software updates often include critical security patches that protect against known vulnerabilities. Staying up to date significantly reduces the risk of falling victim to malware or other cyber threats.

Detecting Suspicious DNS Queries:

For users leveraging security monitoring systems like SIEM or log management tools, it’s possible to detect suspicious DNS queries related to .zip and .mov extensions. Here are example queries in different query languages:

Kibana Query Language:

dns.question.name: (*.zip OR *.mov)

Splunk Query:

dns.question.name="*.zip" OR dns.question.name="*.mov"

Azure Data Explorer (Kusto Query Language):

Sysmon
| where EventID == 22 and (QueryName endswith ".zip" or QueryName endswith ".mov")

Sigma:

title: Detect DNS Queries for .zip and .mov Extensions
id: T9999
status: experimental
description: Detects DNS queries for .zip and .mov extensions in Sysmon logs.
references:
  - https://example.com/blog-post
tags:
  - attack.t9999
  - attack.tactic.discovery
  - attack.technique.t1596
logsource:
  product: sysmon
detection:
  selection:
    EventID: 22
    QueryName:
      - '*.zip'
      - '*.mov'
  condition: selection
  fields:
    - QueryName
  falsepositives:
    - Legitimate use of .zip or .mov extensions in DNS queries
level: high

As we embrace the introduction of new top-level domains by Google, it is essential to remain vigilant and educated about potential cyber risks. The .zip and .mov TLDs, which share their names with common file extensions, could be exploited by malicious actors to deceive unsuspecting users. By following the recommended precautions outlined in this blog post, you can enhance your online security posture and safeguard against these emerging threats. Stay informed, stay cautious, and stay protected in today’s ever-evolving digital landscape.