Zip domains are being abused again to trick victims into a phishing scam
What if a .zip archive was actually a website?
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Not even a month has passed sinceGooglefirst started offering .zip internetdomains, and people have already found a clever and creative way to abuse it formalwaredistribution.
The scam revolves around turning theweb browserwindow into a fake WinZip or WinRAR instance and tricking the victim into believing they’re opening a legitimate file archive while, in reality, they’re downloading malware.
Researcher mr.dox outlined how a threat actor registers a new domain, for example, “setup.zip”. It looks like an archive for an installer file. Then, they create the website to mimic the look and feel of WinRAR - the file path is there, the icons are there, everything looks legitimate. To add even more credibility to the scam, the attackers can also create a fake antivirus scan popup, informing the victim that the files in the archive were scanned and no threats were found.
A website, or an archive?
The researcher who came up with the method claims thisphishingkit can be used in attacks such as malware distribution, or credential theft. A victim could end up double-clicking on a fake PDF file in the fake WinRAR window and be redirected to a fake login page which could steal their login information.
Some of Google’s new domain names could pose a serious security risk>These dangerous phishing attacks are more common than ever - here’s what you need to know>Here’s our list of the best malware removal software
The fake PDF file can also be used to trigger a file download, tricking the victim into downloading malware.
BleepingComputer also reminds that the way latest Windows versions search for files can also be abused. When a person types a file name into the search bar, theoperating systemwill first search through local storage, but if it doesn’t find anything, it will try to open the query in a browser. If there is a legitimate domain of the same name, it will be opened in the browser.
“This technique illustrates how ZIP domains can be abused to create clever phishing attacks and malware delivery orcredential theft,” the publication concludes.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
