Phishing has been a digital thorn in the side of cybersecurity for over a decade. These unsolicited, cleverly masked requests are the wolf in sheep's clothing of the digital world. They are always looming, waiting for some unsuspecting employee to click on a malicious link or attachment that can send your company into a crisis.
In the ever-evolving cybersecurity landscape, understanding the phishing threat has become more critical than ever. It is recognized as a strategic technique under the Initial Access tactic in the MITRE ATT&CK framework. The FortiGuard Labs Global Threat Landscape Report for the second half of 2022 identifies phishing as the primary attack method being used to achieve initial access in a network breach, thereby laying the groundwork for further stages of an attack, as does the 2023 Global Ransomware Research Report.
One technique used by threat actors is to disguise their phishing attacks with creative names that look legitimate to the casual reader but that link to malicious sites. In this blog, we will look into a new threat resulting from the addition of a new Top-Level Domain (TLD), '.ZIP'.
TLDs are the final segment of a domain name. They traditionally follow the format of '.COM,' '.NET,' '.ORG,' and so forth. They play a crucial role in the structure of the web, representing the highest level of domain names in the internet's hierarchical Domain Name System (DNS). However, as the internet landscape has evolved, hundreds of new TLD options, referred to as generic Top-Level Domains (gTLDs), have been introduced to give organizations and individuals a more personalized and specific web address. But while these new gTLDs provide increased opportunities for branding and availability, they also present new opportunities for misuse by phishing attackers, which we must all be aware of.
Cybercriminals are always on the lookout for new opportunities and techniques to exploit, and the recent availability of '.ZIP' domains for public purchase has unfortunately created such an opportunity. While the pool of new gTLDs has made phishing detection more difficult, adding .ZIP is especially noteworthy given its more common use as a file extension for compressed files. This new domain extension will likely create confusion, especially among non-technical users, giving phishers a new and potentially effective tool to add to their attack arsenals.
In phishing campaigns, a common tactic is to make malicious websites appear as legitimate as possible. Using a .ZIP domain can add an air of authenticity to a fraudulent site. A user may mistake the .ZIP in the URL for a file extension, believing they are downloading a file rather than visiting a malicious website.
The cybersecurity community already understands the security implications of this new TLD. Fortunately, several responsible netizens have taken it upon themselves to help stem the tide of abusable domain names. For example, since ChatGPT is currently a hot topic, "chatgpt5[.]zip" was registered on May 20thand provided a download link, presumably for the next iteration of the GPT engine.
Figure 1. New .ZIP domain for a fake chatbotBut instead of malware, the zip archive contains an innocuous text message:
Figure 2. Safe contents of the served zip archiveSome netizens also considered protecting students from malware and registered "assignment[.]zip" on May 15th.
Figure 3. Fake attack geared for studentsVisitors automatically get redirected to download a ZIP archive containing clean files.
This group of virtual Good Samaritans also includes jokesters that use these TLDs to redirect users to surprise content. Apparently, in 2023, rickrolling is still alive and well!
In another case, we found a domain named "voorbeeld[.]zip" registered on May 20th. The termvoorbeeldtranslates toexamplein Dutch. What was this website trying to be an example of?
Figure 4. Example phishing pageIt did not appear to be collecting any information at the time of this writing. On the one hand, this could be a good example of a fake page created by a researcher, but on the other, it may be an unfinished phishing page by a bad actor.
But these examples aside, new campaigns and malicious websites are being created that exploit the commonality of the .ZIP extension. In the early days of the Internet, people took advantage of a technique known as domain squatting, where malicious actors grabbed a domain name very similar to a popular website to target people who inadvertently misspelled a URL or misread a link in a phishing email.
Without skipping a beat, we noticed the following domains were quickly registered:
Date | Domain |
May 15th | joomla[.]zip |
May 15th | msnbc[.]zip |
May 19th | nozominetworks[.]zip |
In 1999, the USA passed the Anticybersquatting Consumer Protection Act (ACPA). This law prevents anyone from domain squatting a trademarked name. And in fact, one domain was removed within a couple of days. However, the ACPA only protects names that have been trademarked. Other names and topics are still fair game for domain flipping.
Figure 5. Domain for saleAside from making money, we also saw a website attempting to launch the classic Zip Bomb attack. On May 15th, the domain "42[.]zip" was registered, which automatically downloaded a zip file when visited. Like its namesake, it resembles the zip bomb attack described on this Wiki page.
Not to be outdone, phishers also began creating their own pages. The domains "excelpatch[.]zip" and "outlook365update[.]zip" both looked like the following standard screen.
Figure 6. Fake Google login page for MS Office productsIt is getting harder and harder to manually differentiate between an actual login page and what isn't without looking at the URI itself.
RFC 3986 defines the general syntax for URIs. Take the following example.
Figure 7. URI syntaxThe authority portion can be further broken down into [userinfo@domain:port number], with userinfo usually including a username and password combination. Not all parts are required. For example, HTTPS is understood to use port 443, so it can be omitted. The userinfo field is usually included for websites that require basic authentication. For websites that don't use this type of authentication, these fields can safely be ignored. In this fake scenario, our domain is not using basic auth. This means that visitinghxxps://www[.]my-example-domain[.]comis effectively the same ashxxps://my_name:my_password@www[.]my-example-domain[.]com. This distinction will be important in the next section.
Another thing to note with domain names is that some TLDs (such as .COM and .ORG) allow for using internationalized domain names (IDN). This makes it possible to use other character sets so that domain names in other languages show properly. However, by doing this, certain characters can potentially be abused. The regular "/" in the URIs we use daily to visit web pages is part of the standard UTF-8 character set (U+002F). The General Punctuation set includes the character "?" (U+2044), and the Mathematical Operators set includes the character "