.ZIP Domains Provide New Cover For Phishing Attacks

Phishing and its derivatives (such as malspam and spear-phishing) continue to be the most common initial access entry point in the global threat landscape. Phishing kicks off the attack chain in over 40% of breaches and attackers are constantly developing new strategies to trick potential victims into executing malicious payloads or giving up sensitive login credentials. Phishing typically relies on two primary components, social engineering, and technical execution. Attackers need to get both of these two things right to successfully pull off a successful attack.

When it comes to social engineering, emotions are often triggered; enticing victims with the lure of pirated software or promises of a more productive application, or targeting a sense of authority by convincing someone they are communicating with an expert (such as tech support scams). However, invoking vulnerable feelings isn't the only ingredient in the social engineering cookbook. Naivety (taking advantage of a user's lack of technical understanding) can be equally effective. Technology is a fast-paced landscape of ever-changing standards and the average user may be excused for not being on top of all the new changes, but exploiting a potential victim's ignorance is highly effective... even when users have been trained to be inherently untrusting.

Let's explore what you nee to know about .zip domain phishing:

.ZIP Domain Phishing Attacks

The .zip top-level domain (TLD) domain was registered by Google in 2014, but only recently became available to the general public for purchase. However, immediately after Google began selling .zip TLD domain names, social engineering .zip-based attacks became obvious to security researchers. The new attack leverages the .zip TLD to create confusion between some fairly fundamental IT concepts and similar to many phishing attacks seek to have the victim execute a malicious payload.

To anyone who works in IT the difference between a file and a Uniform Resource Locator (or URL) is pretty obvious, and the same goes for identifying the difference between applications that run natively on a computer and web applications that run in a browser. However, to the average user, this may not be so obvious.

Here is how the new .zip TLD phishing attack works. Attackers craft a malicious link that ends with .zip. Most users would associate this with a .zip archive file that contains additional files. The .zip link leads to a malicious website designed to simulate the Windows file archiver software (e.g., WinRAR) and presents the user with a list of files that are supposedly contained in the fake .zip file. The website is rendered in HTML and CSS to look like a native application and the files look like PDF files. When clicking on one of the "PDF files" a malicious .exe executable file is downloaded to the user's machine that uses a fake file icon to appear to be the PDF they thought they were downloading.

In an interesting piece of research that explores this attack further, Bobby Rauche has prepared a demonstration of two URLs that are almost identical but behave differently - one linking to a GitHub page, while the other downloading a .exe executable. Can you guess which one is the link to download a .zip file and which one leads to a .zip website?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[ INSERT tricky-domains-1.png

If you guessed (or were brave enough to explore on your own) the first one leads to the .zip domain you would be correct. 

Other Phishing Attacks That Leverage User Naivety

It's no wonder that the average person would have difficulty understanding the complex domain name identifier and URL syntax considering there are edge cases when even major browsers don’t even handle them in the same way. This lack of understanding is what attackers have a nose for and when they find a new way to create confusion are quick to develop and deploy exploits.

Tricky Subdomains

As we have seen above, domains are complicated. Another common technique used to mask the true destination of a URL is to prepend a base domain (such as attacker.com) with subdomains that spoof commonly used websites. Take a look at the following URLs and guess which one would actually point to bank.com and which one would send a potential victim to the attacker-controlled domain: 

https://bank.com.attacker.com/login

https://attacker.com.bank.com/login

[ INSERT tricky-domains-2.png

If you guessed that the first one would take you to the bank website, you would be tricked. In the first example, the malicious attacker.com base domain has been prepended with bank.com; unfortunately, appearing first in the order doesn't make it the most significant.

Spoofed File Icons 

Fake file icons can be utilized to deceive users when it comes to .exe or .lnk files. By altering the icon displayed, malicious actors can trick individuals into believing that a file is harmless or legitimate when it is actually malicious.

Replacing the default icons with that of a Microsoft Office document, PDF, or image file icons are the most commonly used. Such manipulation aims to exploit users' naivety and inherent trust to unknowingly execute potentially harmful files, setting off the first-stage attack chain. 

Preventing .zip TLD Attacks

How can you protect yourself and others on the network from .zip TLD attacks?  Let's look at some defensive measures.

Block The .zip Domain Altogether

The fact that .zip TLD has only recently become available to the public means that 100% of .zip-based sites are malicious or at a bare minimum, irrelevant.

Organizations can implement a network gateway or host-based firewall, and content filters that block emails or web traffic containing links with the .zip TLD. This proactive measure helps prevent users from accessing potentially malicious websites and falling victim to the .zip TLD phishing attack.

Leverage User Awareness Training

Educating users about the existence and tactics of .zip TLD phishing attacks is crucial. Organizations should conduct regular security awareness training sessions, emphasizing the importance of verifying file types and URLs before clicking on them.

Training should also include instructions on identifying suspicious links and files and the potential risks associated with executing files from unfamiliar sources. In this case, it's definitely worth mentioning that this is a novel attack just surfacing and it's worth paying critical attention to.

Conclusion

Not surprisingly, a new social engineering attack is ready to take advantage of the less tech-savvy. To protect against .zip TLD phishing attacks, organizations need a multi-layered defense strategy. Blocking the .zip domain at the gateway and providing user awareness training are effective defensive measures. By combining technical controls with user education, organizations can significantly reduce the risk of falling victim to these deceptive attacks and enhance overall cybersecurity posture.

Ready to put this knowledge into practice? Contact our team today to get the ball rolling on making your organization's cybersecurity hacker-proof.