In May, Google announced the introduction of new top‑level domains such as .zip and .mov. These domains are poised to be misused by cybercriminals to craft convincing phishing links, a concern highlighted by Yaroslav Kargalev, head of the Center for Security Operations of FAC.С.T, the former Russian division of Group-IB, in an interview with socialbites.ca.
The core threat lies in the overlapping meanings of file extensions with these new domains. For instance, .zip is widely recognized as a data archiving format, while .mov is commonly associated with video files. Because of this overlap, scammers can disguise malicious links as legitimate file attachments by using domains that look familiar at first glance. Kargalev notes that such domains can be embedded in emails as seemingly ordinary attachments, increasing the likelihood that recipients will click through without suspicion.
Cybercriminals are expected to exploit .zip domains to deliver malware, with a scenario that starts with a message claiming there is an important file. A victim opens a link that appears trustworthy and proceeds to download the malware. Similar patterns could unfold with .mov domains, where a user is prompted to watch a video and unwittingly encounters malicious content.
Despite these concerns, Kargalev believes that .zip and .mov phishing will not become widespread across the board. The reason is price: these domains are relatively expensive compared to cheaper options such as free zones like .tk, which have historically powered large-scale phishing campaigns. The more targeted approach suggested by the expert involves using these domains to reach specific employees within companies, aiming to glean personal data or access corporate information systems. Such targeted attacks would be rarer but potentially more damaging due to the higher value of the information involved.
There is empirical evidence supporting these fears. Kargalev points to at least one documented incident where attackers registered a .zip domain to host a phishing site that copied Microsoft Internet resources, thereby increasing the perceived legitimacy of the page. This example underscores how attackers can leverage familiar brand elements and legitimate software references to lower user suspicion and facilitate credential theft or data exfiltration.
The discussion about these risks also intersects with broader concerns about personal data security. The use of new top‑level domains for phishing is part of a larger pattern in which attackers continuously adapt to evolving digital ecosystems. As security teams monitor these developments, they emphasize user education, robust domain verification, and proactive monitoring for domains that resemble legitimate brands or file types. The goal is not only to block obvious threats but to anticipate subtler impersonation attempts that hinge on the visual cues users expect from trusted communications.
These observations build on prior reporting about the dangers of exchanging sensitive information through popular messaging platforms. The broader takeaway remains clear: attackers are increasingly sophisticated in their use of domain names and file‑type associations to trick individuals into revealing credentials or unintentionally installing malware. Organizations and individuals alike should prioritize cautious clicking habits, verify sender identities, and employ security tools that flag suspicious attachments or links before they are opened. In the digital landscape, a careful and informed approach to new domain extensions can reduce the effectiveness of these phishing schemes and help protect personal and corporate data.
Note: The discussion about these risks reflects ongoing research and reporting on cyber threats and is part of a broader conversation about safeguarding personal information and enterprise assets in today’s connected environments.