Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Security researcher unveils proof-of-concept .zip domain-based phishing attack

Google launched an array of new top-level designs in early March 2023, aimed at hosting and celebrating a number of industries and events.

user icon David Hollingworth
Mon, 29 May 2023
Security researcher unveils proof-of-concept .zip domain-based phishing attack
expand image

Two of them, however — .zip and .mov — were aimed at more technical users, but many observers believe that they could also be used by scammers and other threat actors to trick users into downloading malicious software.

While some researchers felt the alarm was overblown, one expert has delivered a proof of concept of exactly how the .zip domain could be taken advantage of.

Penetration tester and security researcher mr.d0x has found a way to utilise the new domain in a phishing trick they’re calling “File Archiver In The Browser”.

============
============

Mr.d0x has actually created two techniques. The first one takes advantage of an emulated WinRAR file archive, while the second emulates the Windows 11 File Explorer.

“The WinRAR sample has a few cosmetic features that can increase the legitimacy of the phishing page,” mr.d0x said in a blog post. “For example, the ‘Scan’ icon creates a message box stating that the files are safe.”

“The ‘Extract To’ button can be used to drop a file as well.”

Mr.d0x claims that once some content is set up on a .zip domain, it can be used to harvest credentials by redirecting a file in the fake .zip archive to a phishing site. They also believe that the fake archive could be used to trick users into downloading files with a different extension to the one they believe they are downloading.

“Let’s say you have an ‘invoice.pdf’ file,” mr.d0x proposed. “When a user clicks on this file, it will initiate the download of a .exe or any other file.”

Further, it’s entirely possible that File Explorer itself could be used as a delivery mechanism for malicious files.

“If the user searches for mrd0x.zip and it doesn’t exist on the machine, it will automatically open it up in the browser,” mr.d0x said.

“This is perfect for this scenario since the user would be expecting to see a ZIP file.”

While mr.d0x said he has no plans to comment on Google’s launch of the new domains, but merely to point out that — in his opinion — there is little doubt that the new domains “provide attackers with more opportunities for phishing”.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.