July 26, 2013 a Google employee—now a senior director—submitted the .zip domain to ICANN. Nearly a decade later, and without much fanfare, Google released .zip for registration. This confounding decision sparked a wildfire of phishing domain registrations, immediately targeting essential documentation around human resources, taxes, healthcare, and un/employment. The timing of this release is noteworthy, as it overlapped widespread layoffs, including Google, a time when many were hastily exchanging sensitive documents via email, heightening their vulnerability to deceptive domain names.
What's the purpose of this domain and why did it happen? Now that the dust has settled, let's review the timeline, industry response and how we're far from in the clear.
What's the purpose of .zip?
The .zip gTLD was always intended to serve files, demonstrated in these excerpts from the original ICANN submission:
- The .zip gTLD will provide a new mechanism whereby businesses, organizations and individuals can differentiate their content by signifying that their offerings are related to digital storage. This signification is not currently available in the gTLD space.
- The proposed gTLD aspires to become an authoritative online resource for digital storage offerings.
- The mimetype “text⁄dns” will be set on the HTTP response and the content encoding will be gzip.
In my research I did not find any other common filetypes in ICANN's archives: PNG, JPEG, TXT, PDF, etc.
But this was 2013. Google Drive was 1 year old. Your laptop still had a DVD drive. And selfie was Oxford Dictionaries' word of the year—I truly wonder what the impact selfies had on digital storage.
Today high-bandwidth, Content Delivery Networks and cheap cloud-storage have rendered .zip a narrow use-case for most consumer-to-business interactions. Compression formats have come and gone—WinRAR and .ace immediately come to mind—but .zip and .tar.gz live on in the Enterprise and IT.
Phishing domains for .zip tend to center around invoices, wages, benefits and terminations because they remain files people expect in their business inbox, from an employer or government entity.
To explain that we need to expand our scope from only .mov and .zip to the whole eight that were released together. Zip was launched with 7 other TLDs. Most of them are reasonable additions to vanity-themed domains with the exception of .mov. While less dangerous than the more nefarious .zip, .mov had its own gold rush on phishing domains largely centering on adult themes with celebrities.
The following table is a timeline of the TLD Approval and Release Dates:
|TLD||Application||Approval||Release||Days to Release||Documentation|
The average time from approval to general availability was 3,293 days. You'd think these were in the Disney Vault.
The ICANN application's evaluation fee for a TLD is $185,000 and a $25,000 annual fee. This has not changed since 2012 when gTLDs were introduced. With this we can determine Google's nearly decade-long sunk-cost for the 8 TLDs—excluding infrastructure and labor.
|Domain||Application||Annual Total||Registration Total||Transaction Total||TOTAL|
Grand Total = $3,220,000
- Transaction costs are $0 because they do not incur a fee until the TLD exceeds 50,000 registrations.
Google's Sunk Cost to ICANN was $3.22M
When I started this research I did not expect the whole lot of eight to be a decade tardy. If we focus on only .zip and .mov, it's easy to believe this was a belligerent money grab—and I have seen LinkedIn professionals and security firm blogs use this exact wording. And their frustration is understandable because the costs were pushed downstream to enterprises, governments, banks and paid services to remediate and combat a threat we never needed.
But based on the timelines and groupings presented, I don't believe there was harm-intended. Negligence, absolutely! Silos, definitely. As an automation engineer, an aspect of your role is to work with business and process improvement analysts to identify and recoup costs. This may come in the form of data analytics, data science, process improvement or automation. This isn't the thrilling Agatha Christie-style inside-threat we all wanted to read; it's routine and corporate.
In this case we see a group of 7 TLDs submitted and approved in 2014, then an additional in 2016. Putting away sunk costs, they have a yearly fee to ICANN of $200,000 for domains no one can even register. At some point, an audit or review of the domain program uncovered these zombie expenses.
44 days after .zip was released, Google announced the sale of Domains to Squarespace
On June 15, 2023, Google announced they will be selling their Domain program entirely to Squarespace. Before acquisitions occur, due diligence and audits are performed. It's likely this was uncovered during or right before that work.
Where do we go from here?
The cybersecurity industry had a fun month of WTFs, POCs, LinkedIn posts and memes. By week 4, most mid to large organizations blocked traffic for all .zip and .mov domains on their firewalls and SASE platforms. Then everyone moved on. But what about when employees go home? Even the tech-savvy who use Ubiquiti will find there is no feature to block TLDs. These features are often only available to business-class hardware such as Palo Alto, Cisco and FortiNet.
With the exception of the Firewalla there are very few easy and consumer-ready products with this capability. Additionally, most consumers who use these products focus on out-of-box categories such as social media, gambling, gaming and adult—not obscure domain endings. The .zip and .mov domains will be a persistent, but hopefully an unlikely threat to most businesses who have implemented a remediation. This leaves the risk mostly with SMBs and home users.
We can do better!
Improve monitoring of registered TLDs
.zip came as a shock, but the approval was there for 10 years! We are now familiar with common DNSTwist patterns. With current technology and infrastructure, domains such as .co should probably not be allowed if it were submitted today.
Expiration of Registered but Unused TLDs
When a registrar has not implemented a TLDs availability (public or private) for a certain time, should ICANN revoke it? In this case technology, phishing and the security landscape changed drastically over those 10 years. A .zip domain made available in 2014 would have grown with the industry instead of excavated and dropped into 2023.
Thank you for reading!