New Phishing Campaign Uses ‘File Archive in the Browser’ to Exploit ZIP Domains

Google recently released 8 new top-level domains – the bits at the end of a website address such as .com, .org, .ca, and so on – and cyber security researchers are not happy.

That’s because two of the top-level domains share their name with common file type extensions: .zip and .mov.

As the researchers indicated, criminal hackers could exploit the way web addresses are displayed on emails, web posts, and File Explorer to launch phishing attacks and malware campaigns.

The new domains, which also include .dad. .esq, .prof, .phd, .nexus, and .foo, were made available for public registrations via any domain registrar on May 10, and there have already been signs that they are being used maliciously.

Why is this a problem?

The problem relates to the way software reads and understands text that appears to be a top-level domain. In many cases, any string of text with a period in it will be displayed as a hyperlink, and clicking it will direct the user to a web page.

That link will often be a dead end, because it’s not a genuine domain, but in other cases users will open a genuine webpage.

However, web addresses are not the only thing that full stops are used for. They’re also used in file names, and two of the most common – at least when transferring files online – are .zip, which compresses large files into smaller packages that can then be opened, and .mov, which is a type of video file.

Because .zip and .mov are now valid top-level domains, some platforms will convert any string of text referring to a file into a valid URL.

Cyber criminals, having spotted the potential for confusion, have started squatting on domains that could be mistaken for files.

For instance, security researcher mr.d0x has developed a phishing toolkit that lets hackers create fake in-browser WinRar instances and File Explorer Windows that are displayed on ZIP domains to trick users into thinking they are opened .zip file.

“With this phishing attack, you simulate a file archiver software (e.g. WinRAR) in the browser and use a .zip domain to make it appear more legitimate,” explains a new blog post by the researcher.

In a demonstration with BleepingComputer, the toolkit was used to embed a fake WinRar window directly in the browser when a .zip domain is opened.

Source: BleepingComputer

In another example, discovered by the cyber intelligence film Silent Push Labs, fraudsters purchased the domain ‘’.

A confused user might find the page after attempting to download the Microsoft Office suite. If they follow the instructions on the page, they will hand their login credentials to the criminal operating the website.

How concerned should you be?

Although many experts have condemned Google for its carelessness in creating a new threat vector, it’s unclear how much of a threat this will pose.

It’s unlikely that cyber criminals will register thousands of domains to try and catch specific instances of people clicking a certain .zip or .mov domain name. However, it only takes one mistake for someone to install malware and the entire network to be compromised.

Cyber criminals might also find more effective ways to leverage this threat rather than simply squatting on domains and hoping that people find their way on to the site.

For the time being, users can use the same techniques to stay safe as they would do with standard phishing scams. That means avoiding links or downloads from unknown senders, and checking that senders’ email addresses are genuine.

You can find more advice with IT Governance’s Phishing Staff Awareness E-Learning Course.

This online course explains everything you need to know about scams, from phony text messages and emails to telephone con artists.

Your staff will learn about specific cons, the consequences of a successful attack, and how to identify a bogus message before it’s too late.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.