The new technique has a hacker simulate an archiving app in the web browser to trick victims as they try to access a .zip domain. Credit: CHUYN / Getty Images / AKO9 A new phishing technique can leverage the “file archiver in browser” exploit to emulate an archiving application in the web browser when a victim visits a .zip domain, according to a security researcher identifying as mr.d0x.The attacker essentially simulates a file archiving application like WinRAR in the browser and masks it under the .zip domain to stage the phishing attack.“Performing this attack first requires you to emulate a file archive software using HTML/CSS,” said mr.d0x in a blog post. “I’ve uploaded two samples to my GitHub for anyone to use. While the first one emulates the WinRAR file archive utility, the other one emulates the Windows 11 File Explorer window.” Technique identified after Google’s new TLDsThe technique came to light days after Google released eight new top-level domains (TLD), including .mov and .zip. Many members of the security community began raising concerns that the new TLDs can be mistaken for file extensions, specifically, .mov and .zip., as pointed out by Mr.d0x. The reason behind this is that both .zip and .mov are valid file extensions, which can lead to confusion among unsuspecting users. They might mistakenly visit a malicious website instead of opening a file, inadvertently downloading malware in the process.The confusion between domain names and file names has had mixed reactions in terms of the risks it poses, but almost everyone agrees that it can be expected to equip bad actors in some capacity to deploy another vector of phishing. “The newly launched TLDs provide attackers with more opportunities for phishing. It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used,” mr.d0x added.The hack has multifold use casesIn mr.d0x’s blog, the security researcher identified advantages of using the .zip simulation for phishers as it provides several “cosmetic features” for them. WinRaR, for instance, has a “scan” icon to provide the legitimacy of files. It also features an “extract to” button that can be used for dropping in payloads.Also, “once the simulation content is set up on the miscreants’ .zip domain, they have several possibilities to trick the users,” mr.d0x said. One sample use case mr.d0x demonstrated is to harvest credentials by having a new web page open when a file is clicked. This redirection can lead to a phishing page that has the necessary tools to steal sensitive credentials.Another demonstrated use case “is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file.” For instance, an “invoice.pdf” file can, when clicked, initiate downloading a .exe or any other file.On Twitter, a number of individuals also highlighted that the search bar in Windows File Explorer can serve as an effective means of delivering malicious content. In this scenario, when a user searches for a non-existent .zip file on their machine, as directed by a phishing email, the search bar results will automatically display and open the malicious browser-based .zip domain. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe