In May 2023, Google released several new top-level domains (TLDs), including .dad, .phd, .mov, and .zip. Many cybersecurity communities began posting about security concerns they had with TLDs that can be mistaken for file extensions, specifically, .mov and .zip. As you may notice, whenever we download games or software files, the URL bar in browsers typically shows example.com/filename.zip, which represents the type of file that we are going to download.
Cybercriminals can use the new top-level domains to simulate phishing attacks and make victims download malicious files onto their systems that appear more legitimate than normal phishing URLs
In this blog, I will demonstrate how this phishing attack can effectively target a broader range of victims using a file archive simulation phishing website with a .zip domain.
Emulating WinRAR File Archive Software For Demonstration
The other one emulates the Windows 11 File Explorer window.
Given Features
The "Extract To" button can be used as a payload dropper as well.
Use Cases
- Credential Harvesting: This first use case is to harvest credentials by having a new webpage open when a file is clicked.
- File Extension Switcher: In this scenario, a non-executable file is listed, and when the user clicks to initiate a download, it instead downloads an executable file. For example, consider an "invoice.pdf" file. When a user clicks on this file, it will trigger the download of an .exe or another type of file.
- Windows File Explorer Search: The Windows File Explorer search bar is a good delivery vector. If the user searches for example.zip and it doesn't exist on the machine, it will automatically open it up in the browser. This is perfect for this scenario since the user would be expecting to see a ZIP file.
