A new phishing attack has surfaced that exploits the use of new top-level domains (TLDs) such as .zip and .mov. Security experts have raised concerns about these TLDs, which could easily be confused with file extensions. This new phishing kit, titled “file archiver in the browser,” presents fraudulent WinRAR or Windows File Explorer windows within the browser, tricking users into executing malicious files.
Last week, a cybersecurity researcher revealed a phishing attack that mimics a browser-based file archiver software like WinRAR using a .zip domain to increase its credibility. To execute the attack, the attacker emulates the WinRAR file archive utility using HTML/CSS and uploads two samples to GitHub for public access. The first sample mimics cosmetic features of WinRAR, while the other one mimics the File Explorer window found in Windows 11.
The toolkit enables embedding a counterfeit WinRar window in the browser, creating the illusion of opening a ZIP archive and displaying its contents when accessing a .zip domain. The attacker can list a non-executable file, which, upon user click, triggers the download of an executable file or any desired file format, such as a .exe, even when the user expects to download an “invoice.pdf” file.
Several Twitter users have highlighted that the Windows File Explorer search bar serves as an effective delivery method. Searching for a non-existent file like “mrd0x.zip” prompts automatic opening in the browser, aligning perfectly with user expectations of encountering a ZIP file. Once the user performs this action, it automatically launches the .zip domain that contains the file archive template, creating a convincingly authentic appearance.
New top-level domains (TLDs) expand the phishing possibilities for attackers, prompting organizations to block .zip and .mov domains due to their current and expected future exploitation for phishing activities. Phishing attacks are growing in sophistication as cybercriminals increasingly incorporate detection evasion features like antibots and dynamic directories into their kits. In 2022, the number of advanced phishing attacks by threat actors surged by 356%, while the overall attack count saw an 87% increase throughout the year.
To combat this type of attack, experts recommend that organizations should educate their employees to identify and report attacks quickly. Organizations should also consider implementing device posture security, which verifies the security posture of a device before granting access to its network. Furthermore, individuals should regularly update their software and security applications to prevent attackers from exploiting vulnerabilities in outdated software. With every new TLD that surfaces, security experts need to be vigilant and monitor the potential for new and emerging phishing attacks.