Zip domains are being abused again to trick victims into a phishing scam

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Not even a month has passed since Google first started offering .zip internet domains, and people have already found a clever and creative way to abuse it for malware distribution.

The scam revolves around turning the web browser window into a fake WinZip or WinRAR instance and tricking the victim into believing they’re opening a legitimate file archive while, in reality, they’re downloading malware.

Researcher mr.dox outlined how a threat actor registers a new domain, for example, “setup.zip”. It looks like an archive for an installer file. Then, they create the website to mimic the look and feel of WinRAR - the file path is there, the icons are there, everything looks legitimate. To add even more credibility to the scam, the attackers can also create a fake antivirus scan popup, informing the victim that the files in the archive were scanned and no threats were found.

A website, or an archive?

The researcher who came up with the method claims this phishing kit can be used in attacks such as malware distribution, or credential theft. A victim could end up double-clicking on a fake PDF file in the fake WinRAR window and be redirected to a fake login page which could steal their login information.

The fake PDF file can also be used to trigger a file download, tricking the victim into downloading malware. 

BleepingComputer also reminds that the way latest Windows versions search for files can also be abused. When a person types a file name into the search bar, the operating system will first search through local storage, but if it doesn’t find anything, it will try to open the query in a browser. If there is a legitimate domain of the same name, it will be opened in the browser. 

“This technique illustrates how ZIP domains can be abused to create clever phishing attacks and malware delivery or credential theft,” the publication concludes. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.