A researcher gone by the name mr.d0x has discovered a new phishing technique that can leverage the file archiver in browser exploit to emulate an archiving software in the web browser when a victim visits a .zip domain.
The attacker essentially simulates a file archiving software like WinRAR in the browser and masks it under the .zip domain to stage the phishing attack.
The technique came to limelight after Google released eight new top-level domains (TLD), including .mov and .zip that can be mistaken for file extensions. Since both are valid file extensions that can lead to confusion among unsuspecting users. They might mistakenly visit a malicious website instead of opening a file, inadvertently downloading a malware in the process.
The confusion between domain names and file names has had mixed reactions in terms of the risks it poses, but almost everyone agrees that it can be expected to equip bad actors in some capacity to deploy another vector of phishing.
As demonstrated by mr.d0x, he has identified advantages of using the .zip simulation for phishers as it provides several “cosmetic features” for them. The WinRaR sample, for instance, has a “scan” icon to provide the legitimacy of files. It also features an “extract to” button that can be used for dropping in payloads.
One sample use case mr.d0x demonstrated is to harvest credentials by having a new webpage open when a file is clicked. This redirection can lead to a phishing page that has the necessary tools to steal sensitive credentials.
Another demonstrated use case “is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file.” For instance, an “invoice.pdf” file can, when clicked, initiate downloading a .exe or any other file.
On Twitter, several individuals also highlighted that the search bar in Windows File Explorer can serve as an effective means of delivering malicious content. When a user searches for a non-existent .zip file on their machine, as directed by a phishing email, the search bar results will automatically display and open the malicious browser-based .zip domain.