The new phishing that exploits the .zip and .mov domains

In May, Google has launched eight new top-level domains (TLDs) including .zip and .mov and as always happens, cybercriminals have faced the problem of how to exploit new domains for fraudulent activities.

On the other hand, security experts are also wondering about the possible abuses of the new domains and a researcher known under the pseudonym “mr.d0x” described a new attack technique, dubbed “file archiver in the browser,” which could soon be exploited in phishing campaigns on a large scale.

The new technique is as ingenious as it is simple, the name suggests the attacker builds a web page that mimics the interface of popular software for managing .ZIP archives like WinZIP or WinRAR.

For this purpose, an attacker uses the classic way of developing a web page whose appearance is defined through HTML code and CSS style sheets which determine the final appearance of the page. As an example, the expert mr.d0x has developed two pages that reproduce the appearance of the WinRAR software and the Windows 11 File Explorer window, i.e. software that we use every day when a .ZIP archive arrives.

The final aspect is the one visible in the following image, with the difference that the page is visible within the browser and is not the classic application that we run locally from our PC.

You will notice later a GUI feature introduced to trick usersi.e. the presence of a “Scan” icon inside the command bar recreated in the page that emulates the WinRAR software. This button is not present in the original software, however unsuspecting users clicking the button will see a window with a message reassuring them that no malware was found following the scan.

Safe on the Net

The roots of attacks on the energy sector are rooted in the Dark Web

by Pierluigi Paganini

May 19, 2023

At this point the game is done, the page reproducing the archive management software is published by the attackers on one of the new .zip domains available.

So let’s imagine that we want to hit a company and send its employees an email informing them of the possibility of using tax benefits. Within the body of the mail it is possible insert a link pointing to a .zip domain passing it off as the archive containing the forms and instructions for requesting subsidies.

Clicking on the link would open the page created ad hoc on a .zip domain which reproduces a list of alleged files present in the archive.

When users click on one of these files they are actually clicking on a hyperlink that could direct them to a phishing page which asks them to provide credentials to view documents or worse to download software to view documents correctly.

In the latter case it is possible to fool visitors by presenting an executable file with a disguised extension. Users click on what appears to be a .pdf file (for example, “invoice.pdf”), when an executable file is actually downloaded, as seen in the next image.

There is a further attack mode could use the Windows File Explorer search bar as an initial attack vector.

Let’s imagine that the user searches for the “Deductions COMPANYNAME.zip” archive in the search bar. At this point, since no archive with that name is found on the victim’s PC, the “DeductionsCOMPANYNAME.zip” domain will be opened in the browser, which had been previously registered by the attacker and prepared to conduct phishing attacks or distribute malware.

“Several people pointed out on Twitter that the Windows File Explorer search bar is a good attack vector. If the user searches for the mrd0x.zip archive and it doesn’t exist on the machine, it will automatically open it in the browser. This is perfect for this scenario as the user would expect to see a ZIP archive rendered graphically using the technique described.” reads the analysis published by mr.d0x.

Recently released TLD domains offer attackers more opportunities for phishing campaigns. Knowledge of this attack technique is essential to avoid falling victim to criminals intent on exploiting it on a large scale.

“Organizations are strongly advised to block .zip and .mov domains as they are already being used for phishing and will likely continue to be used more and more.” concludes the expert.

Cybersecurity

Generative AI like ChatGPT used to distribute malware

by Pierluigi Paganini

05 May 2023