Attacks Using the Newly Released .ZIP Domain Showcased by Researcher

Following Google's decision to offer a new wave of eight top-level domains (TLDs), including .zip, a security researcher showed how attackers could use this domain in a phishing scheme.

The TLDs Google made available are .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus. From a cybersecurity perspective, the most interesting one is .zip because it makes way for new attacks.

Security researcher mr.d0x showed how criminals could imitate the looks and functionality of a file-archiving software displayed inside the browser when a user accesses a webpage hosted on a .zip domain.

"Performing this attack first requires you to emulate a file archive software using HTML/CSS," mr.d0x explained. "The WinRAR sample has a few cosmetic features that can increase the legitimacy of the phishing page. For example, the 'Scan' icon creates a message box stating that the files are safe."

The idea of the attack is simple. The user is tricked into believing that accessing a link opened a real archive. This in itself could be used in a couple of ways.

"The first use case is to harvest credentials by having a new web page open when a file is clicked," the security researcher explained.

"Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file. Let's say you have an ' invoice.pdf' file. When a user clicks on this file, it will initiate the download of a .exe or any other file," he added.

While the main focus for these use cases has been phishing attacks, persuading a user to download and run a .exe file could pave the way to many more dangerous situations. The security researcher's advice was for companies, at least, to block .zip and .mov domains.