A groundbreaking phishing method called “file archiver in the browser” has emerged, posing a significant threat to online users. Security researcher mr.d0x recently unveiled this technique, which involves simulating a file archiver software within a web browser, thereby deceiving victims when they visit a .ZIP domain.
In this sophisticated phishing attack, threat actors create highly realistic phishing landing pages using HTML and CSS, mimicking genuine file archive software. Hosting these malicious pages on .zip domains, enhance the credibility of their social engineering campaigns.
Utilizing this technique, cybercriminals can exploit victim’s trust by redirecting them to a credential harvesting page when they click on a file “contained” within the fake ZIP archive. Additionally, the deception extends to the manipulation of non-executable files, where users unsuspectingly initiate downloads that result in the retrieval of executable files. For instance, clicking on an innocuous-sounding “invoice.pdf” file could initiate the download of a harmful .exe file.
Even the search bar in Windows File Explorer becomes a covert conduit for this phishing technique. Searching for a non-existent .ZIP file triggers the direct opening of the corresponding web page in the browser, exploiting users’ expectations and making the ruse appear genuinely legitimate.
The emergence of new top-level domains (TLDs), including “.zip” and “.mov,” introduced by Google, has raised concerns about potential phishing and online scams. Users may inadvertently visit malicious websites instead of opening legitimate files due to the confusion between domain names and file extensions.
According to Trend Micro, ZIP files are a favored payload delivery mechanism in cyber-attacks, often employed during the initial stages of an attack chain. The introduction of the .zip TLD may enable threat actors to leverage ZIP-related URLs for malware distribution, exacerbating the risks associated with phishing attacks.
As the threat landscape continues to evolve, the use of phishing kits has surged by 25% in 2022, with cybercriminals increasingly exploiting Telegram as a platform for collecting stolen data. Phishing attacks are becoming more sophisticated, incorporating detection evasion techniques such as antibots and dynamic directories.
Perception Point’s latest report highlights a staggering 356% rise in advanced phishing attacks attempted by threat actors in 2022. Additionally, the total number of phishing attacks increased by 87% throughout the year. These malicious schemes are constantly evolving, with attackers leveraging compromised Microsoft 365 accounts and restricted-permission message (.rpmsg) encrypted emails to harvest user credentials.
Trustwave researchers have identified instances of attackers harnessing encrypted .rpmsg messages to conceal the phishing content, including URL links, from email scanning gateways. Moreover, Proofpoint has drawn attention to the potential misuse of legitimate features in Microsoft Teams for phishing and malware delivery, where attackers manipulate API calls to replace default URLs with malicious links in meeting invites.
As phishing techniques become increasingly advanced and threat actors continue to exploit innovative methods, users must remain vigilant and adopt robust security measures to safeguard their sensitive information and prevent falling victim to these sophisticated attacks.
