Don’t Click That ZIP File! Phishers Arm .ZIP Domains to Fool Victims

A new phishing technique called “file archiving in the browser” can be exploited to “impersonate” file archiving software in a web browser when the victim visits a .ZIP domain.

“With this phishing attack, you simulate file archiving software (for example, WinRAR) in a browser and use a .zip domain to make it appear more legitimate,” security researcher mr.d0x disclosed last week.

In short, threat actors can create a realistic look phishing landing page uses HTML and CSS that mimics legitimate file archiving software, and stores them in a .zip domain, thereby increasing social engineering campaign.

In a potential attack scenario, criminals could use such trickery to redirect users to a credential fetch page when the “contains” file inside a fake ZIP archive is clicked on.

“Another interesting use case is listing non-executable files and when the user clicks to start the download, it downloads the executable file,” said mr.d0x. “Suppose you have an ‘invoice.pdf’ file. When a user clicks on this file, it will start the download of the .exe or other file.”

Additionally, the search bar in Windows File Explorer can appear as a hidden channel where searching for a non-existent .ZIP file will open it directly in a web browser if the filename matches a legitimate one. .zip domains.

“This is perfect for this scenario because the user expects to see a ZIP file,” said the researcher. “Once the user does this, it will launch the .zip domain automatically which has the file archive template, looks legitimate enough.”

Its development comes as Google launched eight new top-level domains (TLDs), including “.zip” and “.mov”, which have raised some concerns that it could invite phishing and other types of online fraud.

This is because .ZIP and .MOV are both legitimate file extension names, potentially confusing unsuspecting users into visiting a malicious website rather than opening the file and tricking them into accidentally downloading malware.

“ZIP files are often used as part of the early stages of an attack chain, typically downloaded after a user accesses a malicious URL or opens an email attachment,” Trend Micro said.

“Beyond ZIP archives used as payload, it is also possible that malicious actors will use ZIP-associated URLs to download malware with the introduction of the .zip TLD.”

When reaction is definitely mixed at the risk incurred as a result of confusion between domain names and file names, it is expected to provide perpetrators acting in bad faith with another vector for phishing.

The discovery also comes as cybersecurity firm Group-IB says it detected a 25% spike in phishing kit usage in 2022, identifying 3,677 unique kits, when compared to the previous year.

Of particular interest is the increasing trend of using Telegram to collect stolen data, almost doubling from 5.6% in 2021 to 9.4% in 2022.

Not only that. Phishing attacks are also becoming more sophisticated, with cybercriminals increasingly focusing on packing kits with evasion of detection capabilities such as the use of antibots and dynamic directories.

“The phishing operator creates a folder of random websites that only recipients of the personalized phishing URL can access and cannot access without the initial link,” the Singapore-headquartered company said. said.

“This technique allows phishers to avoid detection and blacklisting because the phishing content will not reveal itself.”

According to a new report from Perception Point, the number of advanced phishing attacks attempted by threat actors in 2022 rose by 356%. The total number of attacks increased by 87% during the year.

The continued evolution of this phishing scheme is exemplified by a new wave of attacks that have been observed utilizing compromised Microsoft 365 accounts and restricted permission messages (.rpmsg) encrypted email to harvest user credentials.

“Use of encrypted .rpmsg messages means the phishing content of those messages, including URL links, is hidden from email scanning gateways,” Trustwave researchers Phil Hay and Rodel Mendrez explained.

Another example highlighted by Proofpoint need possible abuse of legitimate features in Microsoft Teams to facilitate the delivery of phishing and malware, including leveraging meeting invitations after compromise by replacing default URLs with malicious links via API calls.

“A different approach an attacker could use, by granting access to a user’s Team token, is using the Teams API or user interface to weaponize existing links in sent messages,” the company’s security firm notes.

“This can be done simply by replacing benign links with links that point to malicious websites or harmful resources.”