A new phishing technique has been discovered that leverages the “file archiver in browser” exploit to trick victims into downloading malware. Security researcher mr.d0x has identified that the attacker can simulate a file archiving software like WinRAR in the browser and mask it under the .zip domain to stage the phishing attack. The attacker can create .zip domains that look like legitimate .zip files, leading unsuspecting users to visit a malicious website and inadvertently download malware. The phishing technique came to light after Google released eight new top-level domains (TLDs), including .mov and .zip, causing concern among members of the security community. The confusion between domain names and file names has had mixed reactions in terms of the risks it poses, but almost everyone agrees that it can empower bad actors to deploy another vector of phishing.
To perform the attack, the attacker must first emulate a file archive software using HTML/CSS, which can be used to provide several cosmetic features for phishers. For instance, the WinRAR sample demonstrated by mr.d0x has a “scan” icon to provide the legitimacy of files, and an “extract to” button that can be used for dropping in payloads. Once the simulation content is set up on the .zip domain of the attacker, they have several possibilities to trick users. One such use case demonstrated by mr.d0x is to harvest credentials by having a new webpage open when a file is clicked, which can lead to a phishing page that can steal sensitive credentials. Another use case involves listing a non-executable file and downloading an executable file when the user clicks to initiate the download. For instance, an “invoice.pdf” file can, when clicked, initiate downloading of a .exe or any other file.
The technique has also highlighted the effectiveness of the search bar in Windows File Explorer as a means of delivering malicious content. When a user searches for a non-existent .zip file on their machine, as directed by a phishing email, the search bar results will automatically display and open the malicious browser-based .zip domain. The newly launched TLDs provide attackers with more opportunities for phishing. It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used, mr.d0x added.
The file archiver in browser attack is a multifold attack that can cause serious damage to unsuspecting users. Users are advised to exercise caution when downloading files of any kind from the internet, be wary of emails from unknown sources, and check the URL of any requested downloads carefully before initiating downloads. This new technique is an example of how cybercriminals are always evolving and adapting their tactics to stay ahead of cybersecurity professionals. Therefore, it is necessary to raise awareness of the potential risks that may arise from new TLDs and any kind of unsecured interaction with the internet. Stay safe and vigilant on the web.