DO NOT CLICK THAT ZIP FILE! Phishers Weaponizing .ZIP Domains To Trick Victims

A new phishing technique called “file archiver in the browser”. This can be leveraged to “emulate” a file archiver software in a web browser when a victim visits a .ZIP domain.

“With this phishing attack, you simulate a file archiver software (e.g., WinRAR) in the browser. Then use a .zip domain to make it appear more legitimate,” security researcher mr.d0x said last week.

Threat actors can develop a phishing landing page. Especially one that looks like legal file archiving software.. Then host it on a .zip domain, thus elevating social engineering campaigns.

In a potential attack scenario, a miscreant could resort to such trickery to redirect users to a credential harvesting page when a file “contained” within the fake ZIP archive is clicked.

“Another interesting use case is listing a non-executable file and when the user clicks to start a download, it downloads an executable file,” mr.d0x noted. “Let’s say you have an ‘invoice.pdf’ file. When a user clicks on this file, it will start the download of a .exe or any other file.”

Also, the search field in Windows Explorer can act as a conduit for looking for non-existent files. If the file name corresponds to a valid.zip domain, the ZIP file opens in the web browser.

“This is perfect for this scenario since the user would be expecting to see a ZIP file,” the researcher said. “Once the user performs this, it will auto-launch the .zip domain which has the file archive template, appearing pretty legitimate.”

The development comes as Google rolled out eight new top-level domains (TLDs). These include “.zip” and “.mov,”. Concerns have been raised that it could invite phishing and other types of online scams.

This is because .ZIP and .MOV are both legitimate file extension names. Unsuspecting users may be tricked into visiting a malicious website. Instead of them opening a legitimate file, they are duped into downloading malware.

“ZIP files are often used as part of the initial stage of an attack chain, being downloaded after a user accesses a malicious URL or opens an email attachment,” Trend Micro said.

“Beyond ZIP archives being used as a payload, it’s likely that malicious actors will use ZIP-related URLs for downloading malware with the introduction of the .zip TLD.”

While reactions are mixed on the risk posed as a result of confusion between domain names and file names. It’s expected to equip actors acting in bad faith with yet another vector for phishing.

The discovery also comes as cybersecurity company Group-IB detected a 25% surge in the use of phishing kits in 2022. identifying 3,677 unique kits, when compared to the preceding year.

Of particular interest is the uptick in the trend of using Telegram to collect stolen data. Almost doubling from 5.6% in 2021 to 9.4% in 2022.

That’s not all. Phishing attacks are also becoming more sophisticated. With cybercriminals focusing on packing the kits with detection evasion capabilities. These include the use of antibots and dynamic directories.

“Phishing operators create random website folders that are only accessible by the recipient of a personalized phishing URL and cannot be accessed without the initial link,” the Singapore-headquartered firm said.

“This technique allows phishers to evade detection and blacklisting as the phishing content will not reveal itself.”

According to a new report from Perception Point, the number of advanced phishing attacks attempted by threat actors in 2022 rose 356%. The total number of attacks increased by 87% over the course of the year.

This ongoing development of phishing tactics is highlighted by a new wave of assaults. Many of those identified utilizing encrypted restricted-permission message emails to capture victims’ credentials. Along with hacked Microsoft 365 accounts.

“The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways,” Trustwave researchers Phil Hay and Rodel Mendrez explained.

A scenario mentioned by Proofpoint involves the potential exploitation of legal Team’s function to assist in the spread of phishing and malware. It involves using post-compromise meeting invites by changing default URLs with harmful links via API calls.

“A different approach that attackers can use, given access to a user’s Teams token, is using Teams’ API or user interface to weaponize existing links in sent messages,” the enterprise security firm noted.

“This could be done by replacing benign links with links pointing to nefarious websites or malicious resources.”

Leave a Comment