🚧 Blocked for Your Safety
cloudlogs.zip has been proactively blocked for your protection.
To prevent phishing and fraud, this domain is blocked for everyone worldwide by Epi, the trust and cybersecurity organisation. Epi offers anti-phishing and browsing safety tools that go beyond this global block.
With Epi, you won't see any dangerous .zip
domains. Check links are safe with Epi Confirm
On the web, "cloudlogs.zip"
is now a domain at "https://cloudlogs.zip"
. It is not a ZIP file, not a compressed archive.
Read on to learn why we blocked this domain.
The .zip
domain extension is associated with the ZIP file, and domain registrants are already exploiting this by registering .zip
domains that look like ZIP files.
.zip
and .mov
TLDs. They argue the purpose of .zip
is speed:"The web moves at high speed, so show you do too with a .zip domain. When you're offering services where speed is of the essence, a .zip URL lets your audience know that you're fast, efficient, and ready to move."On the Google Registry site, they state that the TLD will be a secure space. The trouble with this argument is that "secure" is taken to confer absolute security; that it's completely secure.
".Zip is a secure domain for tying things together or moving really fast. Hosting content on a .zip domain means speed."What they mean is that it's an HTTPS-only space, meaning domains have to serve their sites on HTTPS, so connections with their users are secure. But HTTPS does not protect the user in whether they should be communicating with this site in the first place. HTTPS does not stop fraudulent sites.
The domain was released simultaneously with
.mov
, another TLD that looks like a popular movie file extension. On .mov
, they state:"Showcase your magnum opus on a .mov domain. Whether you're a filmmaker, editor, or video blogger, your .mov URL is the perfect home to share your reel, show some shorts, or just talk about the latest on screens of any size."Why release
.zip
at the same time as .mov
, with both looking like files?The new marketing for
.zip
— that it's about speed — conflicts with their original intention. In Google's original application for .zip
to ICANN, they stated that the domain would be useful for digital storage:"The proposed gTLD will provide the marketplace with direct association to the term, ʺzip,ʺ which is often colloquially used to refer to a zip drive, a device used for digital storage. The mission of the proposed gTLD, .zip, is to provide a dedicated domain space in which registrants can enact second-level domains that relate to digital storage offerings and information or provide storage or other services. This mission will enhance consumer choice by providing new availability in the second-level domain space, creating new layers of organization on the Internet, and signaling the kind of content available in the domain. Charleston Road Registry believes that registrants will find value in associating with this gTLD, in particular those companies that offer cloud storage services, including major high tech and telecommunications players."
"The proposed gTLD aspires to become an authoritative online resource for digital storage offerings."In the original application, there is no recognition of the inherent dangers of this TLD.
"Charleston Road Registry believes that given its wide variety of uses, the .zip gTLD will best add value to the gTLD space by remaining totally open and unencumbered by registrant restrictions. There will, therefore, be no restrictions on second-level domain name registrations in the proposed gTLD, .zip."
"Charleston Road Registry is committed to implementing strong and integrated intellectual property rights protection mechanisms. Doing so is critical to Google’s goals of model Internet citizenship and fostering Internet development, especially in emerging regions. Accordingly, Charleston Road Registry intends to offer a suite of rights protection measures, which builds upon ICANNʹs required policies while fulfilling our commitment to encouraging innovation, competition and choice on the Internet."Even Google's current logo for the
.zip
domain looks like a ZIP file.The marketing language was likely changed to focus on speed and zippyness after the realisation of phishing threats. But the public will still know them as ZIP files.Most people will expect a ZIP file when they see "example.zip"
in an email or browser address bar. They'll think it's an archive, and if a page appears asking them to log in, many will enter their credentials on a page that is actually a phishing site.
Existing browser protections are not enough.
It does not matter if the address bar shows "https://"
as many people won't realise this indicates a website. Instead it will potentially confer more perceived security — "https"
and the padlock are associated with security, but in fact they confer encryption to a particular site, and do not indicate trust of the intended site.
Indeed, ZIP files are often hosted on the internet under a particular URL on HTTPS, so to many it will not look odd that it says "https://example.zip"
in the address bar.
It does not matter that the location is simply the name of the supposed ZIP file, rather than a long URL. Users will think the browser is shortening the location to make it easier for them to read, especially on mobile devices.
A considerable amount of social media attention on .zip
is dedicated to accidental hyperlinking. This means a legitimate person sending an email or writing a message includes the name of the attachment "example.zip"
and the email client or message app would automatically turn that into a web link, taking the recipient to a phishing page that a malign actor has already set up.
It depends on name collisions, which are likely with common names, but the chance of collisions is probabilistic, not guaranteed. There is considerable danger, but it is not as concerning as campaigns initiated by malicious actors — where they control the domain and messaging end-to-end.
With malicious email construction, a link to "example.zip"
could be made to look identical to an attachment embedded in the message, with a ZIP icon and styling. Even if the .zip
link just looks like a regular web link, users would be easily convinced by the name recognition of a ZIP file and extension, and would think their email client or message is behaving differently on that day. Emails can be carefully crafted and designed to be convincing.
But threats go beyond email. In plaintext and rich-text environments like SMS and message apps, there is still real danger, just with an underlined link to a supposed ZIP file. And if a user ends up on a .zip
domain, however they get there, they are expecting a file and there is the risk of phishing.
.sh
TLD can be confused with shell scripts. The Poland .pl
TLD can be confused with Perl scripts. The .com
TLD can be confused with Windows command-line scripts, though this is a tenuous link nowadays with .com
being the dominant domain extension.Google defends
.zip
confusion by drawing comparisons with the ancient .com
association of Windows command-line scripts:"The risk of confusion between domain names and file names is not a new one. For example, 3M's Command products use the domain name command.com, which is also an important program on MS-DOS and early versions of Windows."The claim — that
command.com
exists and causes confusion with the COMMAND.COM
program on MS-DOS and Windows — is not credible. For most people, command.com
is a website and does not mean the Windows program, whether they are software developers or not. You don't interact with a command-line program through the web browser, but ZIP files can be downloaded and opened in browsers. Indeed for the majority of users, who are non-technical, .sh
, .pl
and .com
are domain extensions, not file extensions.The justification is that domains are confusing and that's the way it is, and that we've dealt with confusion before. The issue of aligning
.zip
with this argument is that the aforementioned extensions were associated with software development, but .zip
is universally popular and instantly recognised. It is the standard way of packaging up files into a single archive that you can send and share with others.And if the counter argument is that it will take time to adjust, the ZIP recognition will not go away easily. In fact, we judge its association with archives is solidified in rock. With phishing the dominant cyber attack, adding a new phishing-perfect TLD creates a toxic cocktail.
We have blocked the domain "cloudlogs.zip"
at the global DNS level. It is blocked to prevent malicious usage and accidental linking. We can only do so much at the global DNS level. We can't register all possible malicious domains globally. But you can use Epi and know you're on a safe and trusted site. We track trusted sites, a challenging task, but one we believe to be more defensive than just tracking malicious domains.
Consider possible .zip
domains: "internal-marketing-slides·zip"
, "fy2022-2023-audit·zip"
, "cloud-budget-forecast-2023·zip"
"[current date and time]·zip"
(with limitless precision possibilities), "[version x]·zip"
and combinations of such. Don't visit these ZIP sites!
People name their ZIP files as they want on an ad hoc basis. How can you control how people name their files? It's an impossible and pointless request. But with unlimited naming choices for users comes unlimited targeting opportunities for malign actors.
On a minor point, the .zip
TLD, being closely associated with ZIP files, will enable domain owners to feel comfortable using hyphens more liberally, because people typically replace spaces in filenames with hyphens. With traditional TLDs like .com
, domain owners have tended to eschew hyphens and make their brands run as if they are one label without spaces. The .zip
TLD enables more malicious opportunities for longer and more convincing filename-like domains.
There are innumerable phishing opportunities with .zip
. With standard TLDs like .com
, .net
, .org
and .co.uk
, organisations can register and defend their brands. Firms can't register all possible combinations of branded domains that could deceive users, but with .zip
, the threat space is astronomically larger — you've got to deal with all the possible names that people come up with for their ZIP files. You're facing the threat of a convincing .zip
domain that looks like what your colleague sent to you, personally named and targeted to what you're working on.
This isn't scaremongering. Phishing is the number one cybercrime and with the .zip
TLD, a vast new threat vector has opened up.
Existing anti-phishing services are predominately driven by blocklists and are reactive to malicious campaigns.
With increasingly targeted and sophisticated campaigns, is this strategy going to be sufficient? It shouldn't take a user to be the scapegoat, to first click on a phishing link, to cause detection and blocking. Too much responsibility has fallen to the individual to recognise and report phishing. How can organisations react quickly enough, before one of their users clicks on a link? How can they be more proactive?
Why can't organisations work within a safe internet to begin with?
The .zip
TLD opens a new front on phishing.
We currently have a proliferation of organisation-to-person phishing. But with .zip
, rather than all the effort of a bad actor in setting up a domain, website and campaign to masquerade an existing brand, they can assume the identity of your colleagues, friends and family. This enables person-to-person phishing. You're more likely to trust the people around you than organisations, so it's a compelling opportunity for malicious parties.
This block serves as a canary warning and aims to raise awareness of .zip
safety. If you do not see this block on another .zip
page, or a page asks you to log in and provide personal details, you should be extremely cautious.
With Epi, you won't see any dangerous .zip
domains. Epi indexes only sites known to be safe and trusted. Check links are safe with Epi Confirm
In all of this, when you encounter something, don't just consider the identity of the organisation or person in question.
Remember to consider, slowly, calmly, what they are asking you to do. Consider every message suspicious until proven otherwise.
If they're asking you to log in, what happens if you don't? Go to your account separately, if that's not asking you to log in, you know it's malicious.
If you get a message about account access suspended or that you need to change your password, always be sceptical and go to your account separately with your trusted method.
Anything urgent does not need to be responded to within seconds; it can be considered for at least a few minutes. You might delay something for an hour or a day, but if something is needed, you'll get a follow-up. And you can follow up yourself, with a separate trusted communication channel!
We call on browsers, internet providers and device platforms to change how .zip
domains are displayed and interacted with.
More broadly, we call on organisations and authorities to improve defences against phishing and make the net safe. Individuals can't make the net safe alone.
Learn more about our work at Epi
Read more about phishing with the internet safety movement Make the Net Safe