Photo Depicting File Archiver Windows
© Mas Jono/Shutterstock.com
No AI-generated content: this article is written and researched by humans
Table of contents

A researcher has demonstrated how cybercriminals can use “.zip” domains to harvest credentials and deliver malware to unsuspecting victims in phishing attacks.

In a blog post published on May 22, independent penetration tester “mr.d0x” showed how threat actors could simulate a file archiver software in a browser and link it to a “.zip” domain. The result is a phishing site that looks like a WinRAR file archive page or a Windows Explorer window.

This new phishing avenue represents a cybersecurity risk to both businesses and individuals.

‘File Archiver in the Browser’

On May 3, Google launched new top-level domains (TLDs), including “.zip,” “.mov,” “.phd,” and “.dad.” Security experts were quick to note some of these domains — particularly “.zip” and “.mov” — look like file extensions, and cybercriminals can take advantage of this to trick users. mr.d0x’s simulation shows how this could happen.

“The newly launched TLDs provide attackers with more opportunities for phishing,” he said.

mr.d0x’s blog post showed that hackers could emulate file archive software with HTML/CSS to create a page that looks exactly like a WinRAR file archive or a Windows 11 File Explorer window. Connecting this page to a “.zip” domain makes it “appear more legitimate.”

He highlighted how cybercriminals could use this spoof page to harvest users’ credentials and deliver malware.

“The first use case is to harvest credentials by having a new web page open when a file is clicked,” mr.d0x wrote. “Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file [which can be used to deliver malware].”

The “Extract To” button on the fake WinRAR page can also deliver malware. The WinRAR archive page even has a “Scan” button, which makes it look more legitimate and fools users into thinking that malicious files are safe.

Another delivery mechanism is via Windows’ File Explorer search, mr.d0x said.

“Several people pointed out on Twitter that the Windows File Explorer search bar is a good delivery vector. If the user searches for mrd0x.zip and it doesn’t exist on the machine, it will automatically open it up in the browser,” he explained.

In an email to VPNOverview, mr.d0x noted that Windows File Explorer and WinRAR are commonly used, but criminals could emulate other software with this technique.

“Users should pay attention and understand the separation between browser and operating system components. The browser tries to make that separation clear, but with attacks such as File Archiver In the Browser, it makes it more difficult to tell if it’s a browser or operating system component,” he said.

mr.d0x also revealed that this phishing technique can be used to exploit vulnerabilities in browsers. “These target a vulnerability in the user’s browser to gain remote access to the machine,” he wrote.

Protecting Against Attacks That Leverage Top-Level Domains

mr.d0x outlined different ways individuals and organizations can defend against these phishing attacks.

“Be wary of any files downloaded from the internet, double-check file extensions, and be cautious with unfamiliar software interfaces and the Windows File Explorer search bar,” he said.

“It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used,” mr.d0x added.

mr.d0x also emphasized the importance of user education and awareness. You can learn about how to spot phishing sites and discover other ways to protect yourself from this threat in our guide to staying safe online.

Leave a comment