Ticker

6/recent/ticker-posts

Phishing Attack Through WinRAR File Archiver Simulation Using .Zip Domain

In May 2023, Google released several new top-level domains (TLDs), including .dad, .phd, .mov, and .zip. Many cybersecurity communities began posting about security concerns they had with TLDs that can be mistaken for file extensions, specifically, .mov and .zip. As you may notice, whenever we download games or software files, the URL bar in browsers typically shows example.com/filename.zip, which represents the type of file that we are going to download.

Cybercriminals can use the new top-level domains to simulate phishing attacks and make victims download malicious files onto their systems that appear more legitimate than normal phishing URLs

In this blog, I will demonstrate how this phishing attack can effectively target a broader range of victims using a file archive simulation phishing website with a .zip domain.


Emulating WinRAR File Archive Software For Demonstration

Performing this attack first requires you to emulate a file archive software using HTML/CSS. We have 2 uploaded samples on the mrd0x GitHub for anyone to use. The first one emulates the WinRAR file archive utility, as shown below.

The other one emulates the Windows 11 File Explorer window.

Given Features

The WinRAR sample includes several cosmetic features that can boost the credibility of the phishing page. For instance, the ‘Scan’ icon generates a message box saying that the files are safe.

The "Extract To" button can be used as a payload dropper as well.


Use Cases

Once the content is set up on your .zip domain, you have several possibilities to trick the user, as given below:
  • Credential Harvesting: This first use case is to harvest credentials by having a new webpage open when a file is clicked.
  • File Extension SwitcherIn this scenario, a non-executable file is listed, and when the user clicks to initiate a download, it instead downloads an executable file. For example, consider an "invoice.pdf" file. When a user clicks on this file, it will trigger the download of an .exe or another type of file.
  • Windows File Explorer Search: The Windows File Explorer search bar is a good delivery vector. If the user searches for example.zip and it doesn't exist on the machine, it will automatically open it up in the browser. This is perfect for this scenario since the user would be expecting to see a ZIP file.

Conclusion

These TLDs offer attackers more phishing opportunities. It is strongly advised that organizations block .zip and .mov domains, as they are already being exploited for phishing and will likely be used even more in the future.