How much do you trust a .ZIP file? As we navigate our way through the internet, it’s becoming increasingly important to discern what’s a digital friend from what’s a digital foe. A new sophisticated phishing technique has recently emerged, shedding light on how cybercriminals are stepping up their game. They are now weaponizing .ZIP domains to trick unsuspecting victims into falling for their scams. Does that make you second guess clicking on that ZIP file? Let’s take a closer look.

Security researcher mr.d0x recently disclosed this new method of attack, known as “file archiver in the browser,” to the cyber community. This technique revolves around emulating file archiver software, such as WinRAR, within a browser when a user visits a .ZIP domain. That sounds legitimate, right? That’s the crux of the deception.

Tricking Users with a Cloak of Legitimacy

How does this cyber sleight-of-hand work? Threat actors craft a convincing phishing landing page using HTML and CSS, mimicking the look of legitimate file archive software, and host it on a .ZIP domain. The use of a .ZIP domain provides an additional veneer of legitimacy, thereby enhancing the efficacy of social engineering campaigns.

Consider a potential attack scenario: a malicious actor might resort to such trickery to lure users onto a credential harvesting page. They do this by baiting the user to click on a file “contained” within the fake ZIP archive. The plot thickens when a user clicks to download a non-executable file, but instead receives an executable one. For example, clicking on ‘invoice.pdf’ might initiate the download of a .exe file.

A Trojan Horse in Windows Explorer

That’s not the end of the story. The Windows File Explorer search bar could be manipulated into playing a part in this scam. Searching for a non-existent .ZIP file in Windows File Explorer could directly open it in the web browser if the file name corresponds to a legitimate .zip domain. “The user would be expecting to see a ZIP file,” mr.d0x says, which makes it the perfect way to launch the malicious .zip domain and appear remarkably legitimate.

Google’s recent introduction of eight new top-level domains (TLDs), including “.zip” and “.mov,” has raised concerns that these could facilitate phishing and other online scams. As these are also legitimate file extension names, it adds to the likelihood of users accidentally visiting malicious websites and downloading malware instead of opening a file.

A Rising Tide of Phishing Attacks

Cybersecurity firm Group-IB recently reported a surge of 25% in the use of phishing kits in 2022, with 3,677 unique kits identified. This represents an increasing sophistication in phishing attacks, with cybercriminals focusing more on evasion techniques like antibots and dynamic directories.

Another growing trend is the use of messaging platform Telegram to collect stolen data, which almost doubled from 5.6% in 2021 to 9.4% in 2022.

The Fight Against Cyber Deception

With these deceptive practices on the rise, it’s more important than ever to stay informed and vigilant. It begs the question: Are our online behaviors adapted to the current landscape of cyber threats? And how can we protect ourselves from such attacks?

The cybersecurity landscape is ever-evolving, and so must our defenses. Awareness is the first line of defense against these scams. Remember, in the world of phishing, it’s not just about ‘Don’t Click That ZIP File!’ but also about being aware of who and what’s behind it.