Innovative phishing approach exploits browser-based file archiving

An innovative phishing approach named "browser-based file archiving" offers a way to impersonate file archiving software, like WinRAR, in a web browser, occurring when a victim lands on a .ZIP website.

Revealed by security researcher mr.d0x, the tactic involves making use of a .zip website to present a more believable attack. The primary concept is that cybercriminals could fabricate a convincing phishing entry page by utilizing HTML and CSS to mirror genuine file archiving software, and position it on a .zip site, enhancing the persuasiveness of social engineering efforts.

This approach opens the possibility of a malefactor diverting users to a page designed to collect credentials as they click on a file purportedly stored within the deceptive ZIP archive. A more intriguing potential use would be to list a non-executable file, which upon clicking, triggers the download of an executable file. For instance, a file labeled 'invoice.pdf', when clicked, might prompt the download of a .exe file or some other kind of file.

In addition, the search function in Windows File Explorer can be exploited to mislead users into searching for a nonexistent .ZIP file which, upon finding a match, directs the user to a web browser instead. This adds to the illusion as users would naturally expect to see a ZIP file. This automatically initiates the .zip website that carries the file archive imitation, enhancing its authenticity.

This development coincides with Google's launch of eight fresh top-level domains (TLDs), such as ".zip" and ".mov," causing concerns regarding their potential misuse for phishing and other online fraud. The potential for confusion arises as .ZIP and .MOV are both legitimate file extensions, potentially tricking unsuspecting users into visiting harmful websites and unwittingly downloading malware, rather than merely opening a file.

As Trend Micro asserts, "ZIP files often feature as the first step in an attack chain, typically downloaded post user interaction with a harmful URL or email attachment." The addition of the .zip TLD could potentially serve as another avenue for malware download via ZIP-related URLs.

Public opinion on the risk factor of domain and file name confusion varies, but it does provide malicious actors another tool in their phishing arsenal.

Simultaneously, cybersecurity firm Group-IB reported a 25% increase in the use of phishing kits in 2022, recognizing 3,677 unique kits, a significant jump from the previous year.

Noteworthy is the increasing reliance on Telegram for harvesting stolen data, with usage nearly doubling from 5.6% in 2021 to 9.4% in 2022.

Furthermore, phishing attacks are evolving to be more sophisticated, with cybercriminals dedicating resources to evade detection, often by using antibots and dynamic directories within their kits.

Group-IB detailed, "Phishing perpetrators generate random website directories, exclusively accessible to the recipient of a unique phishing URL and inaccessible without the original link," indicating that this method allows phishers to evade detection and blacklisting as the phishing material stays hidden.