Novel Phishing Technique Utilizes Browser File Archiver Simulation on New .zip Domain

  1. A new phishing technique exploits Google’s new .zip top-level domain, simulating file archiver software like WinRAR in a web browser to trick users into divulging credentials or downloading harmful files.
  2. The delivery method is innovative, using the Windows File Explorer’s search function: if a user searches for a specific .zip file that doesn’t exist on their system, the browser automatically opens the simulated .zip domain phishing site, which appears highly legitimate due to the file archive interface.

In light of Google’s recent release of new top-level domains (TLDs) like .dad, .phd, .mov and .zip, there have been rising concerns within the security community over TLDs that can easily be mistaken for file extensions. This report explores a phishing technique that utilizes these concerns, specifically exploiting the .zip TLD to simulate a file archiver software in a web browser.

This unique phishing attack involves creating the illusion of a file archiver software (like WinRAR) using HTML and CSS coding on a .zip domain, in an effort to increase the attack’s credibility.

Two samples of these simulations are available on GitHub for public use. One mimics the look of the popular WinRAR file archive utility, while the other emulates the interface of the Windows 11 File Explorer window. These simulations are complete with cosmetic features that enhance the legitimacy of the phishing page, such as a ‘Scan’ icon which indicates the files are safe, and an ‘Extract To’ button capable of dropping a file.

Once the webpage content is established on the .zip domain, there are multiple strategies to ensnare unsuspecting users.

One technique is credential harvesting, which is done by opening a new webpage when a file is clicked on, prompting users to input their credentials. Another strategy involves a file extension switch, where a seemingly benign file, like an “invoice.pdf”, initiates the download of a potentially harmful executable file when clicked.

Delivery of this type of phishing attack is also innovative. If a user searches for a specific .zip file (like on the Windows File Explorer, and the file doesn’t exist on their machine, the search bar will automatically launch the file in the browser. This can open up the .zip domain phishing site, which appears legitimate due to the file archive template.