A new phishing technique called “in-browser file archiver” can be used to “emulate” file archiver software in a web browser when a victim visits a .ZIP domain.
“This phishing attack simulates file archiver software (such as WinRAR) within your browser and uses a .zip domain to make it appear more legitimate,” security researcher mr.d0x revealed last week. bottom.
In a nutshell, attackers use HTML and CSS to create realistic-looking phishing landing pages that mimic legitimate file archive software and host them on .zip domains to launch their social engineering campaigns. may strengthen.
In a potential attack scenario, bad actors could use such a ruse to redirect users to a credential harvesting page when a file “contained” inside a fake ZIP archive is clicked. .
“Another interesting use case is to list non-executable files, and when the user clicks to initiate a download, an executable file will be downloaded,” said mr.d0x. “Suppose you have an ‘invoice.pdf’ file. When a user clicks on this file, it will initiate a download of an .exe or other file.”
Additionally, Windows File Explorer’s search bar can appear as a sneaky conduit to search for a non-existent .ZIP file and open it directly in a web browser if the file name matches the canonical filename. .zip domain.
“Users expect to see ZIP files, so this is perfect for this scenario,” said the researchers. “When a user does this, it automatically launches a .zip domain containing a file archive template, which looks legit.”
The development comes as Google rolls out eight new top-level domains (TLDs), including ‘.zip’ and ‘.mov’, which can lead to phishing and other types of online fraud. There are concerns that there is
This is because both .ZIP and .MOV are legitimate file extension names, which can confuse unsuspecting users into visiting malicious websites instead of opening files and accidentally downloading malware. because it may cause
“ZIP files are often used as part of the early stages of an attack chain, typically downloaded after a user visits a malicious URL or opens an email attachment,” Trend Micro said. rice field.
“Not only are ZIP archives used as payloads, but with the introduction of the .zip TLD, malicious actors may also use ZIP-related URLs to download malware.”
Reactions to the risks resulting from conflating domain names with filenames are obviously mixed, but are expected to provide another vector for phishing for attackers acting maliciously.
The discovery comes as cybersecurity firm Group-IB announced a 25% surge in the use of phishing kits in 2022, identifying 3,677 unique kits compared to the previous year. .
Of particular interest is the growing propensity to use Telegram to collect stolen data, almost doubling from 5.6% in 2021 to 9.4% in 2022.
That’s not all. Phishing attacks are also becoming more sophisticated, with cybercriminals increasingly focusing on building detection evasion features into their kits, such as the use of anti-bots and dynamic directories.
“Phishers create random website folders that are accessible only to recipients of personalized phishing URLs, without the initial link,” said the Singapore-based company.
“This technology allows phishers to avoid detection and blacklisting because the phishing content itself is not revealed.”
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
According to a new report from Perception Point, the number of advanced phishing attacks attempted by threat actors increased by 356% in 2022. The total number of attacks increased by 87% over the year.
This phishing scam continues to evolve with a new wave of attacks leveraging compromised Microsoft 365 accounts and emails encrypted with restricted permissions messages (.rpmsg) to harvest user credentials. Proven.
“The use of encrypted .rpmsg messages means that the phishing content of messages containing URL links is hidden from email scanning gateways,” said Trustwave researchers Phil Hay and Rodel Mendrez. explained.
In another case highlighted by Proofpoint, legitimate Microsoft Teams functionality, such as leveraging meeting invitations post-compromise, was exploited by phishing and phishing attacks by replacing default URLs with malicious links via API calls. May facilitate the delivery of malware.
“Another approach an attacker can take if they have access to a user’s Teams token is to use Teams’ API or user interface to weaponize existing links in sent messages,” says Enterprise Security. The company points out
“This can be done by simply replacing harmless links with links pointing to malicious websites or malicious resources.”
