File Archiver has taken on a new appearance, being used as a phishing kit that exploits ZIP domains. This clever tool replicates fake WinRAR or Windows File Explorer windows within the browser. The idea behind this technique is to trick users into launching risky programs.
Google has been rolling out a new feature that enables websites and emails to create ZIP TLD domains this month. Since this TLD’s introduction, there has been a great deal of debate regarding whether it was a mistake to create it and if it would now put users’ cybersecurity at risk.
The main concern is that certain websites may automatically turn a string ending in “.zip,” such as setup.zip, into an active link, even if some experts believe the fears are overstated. This might then be used to spread malware or launch phishing attacks.
Unveiling of Browser-based File Archiver Mechanics
A smart phishing toolkit that makes use of ZIP domains has been uncovered by security researcher mr. D0x. This toolkit gives the idea that real file archiver software, such as WinRAR, exists by faking its presence in the web interface.
According to mr.d0x:
With this phishing attack, you simulate a file archiver software (e.g., WinRAR) in the browser and use a .zip domain to make it appear more legitimate.
The toolkit showed its capability of easily integrating a fake WinRAR window into the browser when a .zip domain is browsed.
This smart method gives the user the impression that they have opened a ZIP archive and are presently seeing its contents. The window looks particularly stunning as a popup since it lacks the address bar and scrollbar and appears on the screen like a real WinRAR window.
The toolkit’s creators added a false security scan button to increase its credibility even more. When consumers click, a reassuring message confirming that the scanned files are risk-free is shown.
Although the toolkit still displays the browser address bar, it is likely to trick some users into thinking it is a legitimate WinRar archive. The toolkit might also be further improved and polished by using creative CSS and HTML techniques. mr. D0x alternative an alternate that displays a fake in-browser Windows File Explorer and simulates the act of opening a ZIP file. This specific template, however, is currently a work in progress and is missing several components.
The search box in Windows File Explorer is a helpful delivery channel, as several people noted on Twitter. It will automatically open in the browser if a person searches for “mrd0x.zip” although it is not on their machine. This is right on target given that the user would expect to run across a ZIP file in this scenario.
Phishing Toolkit Exploitation
The phishing toolkit poses a dual danger, according to mr. D0x, since it has the ability to both steal passwords and spread malware. For example, if a user double-clicks a PDF file inside the false WinRAR window, they can unknowingly be redirected to a fake website that requests their login information under the cover of allowing access to the file.
Windows will load the website in the browser if a user registers a common file name as a .zip domain and searches for it. The ability of this site to deceive viewers into believing they are reading a legitimate ZIP download would show how .zip domains can be used for clever phishing attacks, possible malware, or data theft.
Using HTML and CSS, threat actors may create an extremely convincing phishing landing page that copies real file archiving software. The use of a .zip domain would allow them to boost their social engineering techniques.
According to a report the quantity of sophisticated phishing attacks attempted by malicious actors in 2022 surged by 500%. Throughout the year, there were 88% more attacks altogether.
Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.