A new phishing technique, called “File Archiver In The Browser”, can be leveraged to to “emulate” a file archiver software in a web browser, when the victim visits a .zip domain. Security researcher mr.d0x detailed the new attack technique in a recent post.
In mid May 2023, Google released several new top-level domains (TLDs) including .zip and .mov. Many cybersecurity researchers expressed concerns that these TLDs can be mistaken for file extensions. The researcher showcased how these TLD’s can be used to deliver malicious content.
To carry out an attack using this technique, the attacker needs to “emulate” a file archive software through HTML/CSS. The researchers shared two samples: The first one emulates the WinRAR file archive utility. To prevent suspicion, when user clicks on the “Scan” icon, a message box reassuring them that the files are secure is displayed.
The second one emulates the Windows 11 File Explorer window
“It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used” recommended the expert.
Read more about it here.