uTalk

Official forum for Utopia Community

You are not logged in.

#1 2023-05-29 23:15:32

thrive
Member
Registered: 2023-01-04
Posts: 1,963

Using ZIP Domains to Dupe People

OecyZUe.png
When a victim visits a .ZIP domain, a new phishing technique known as "file archiver in the browser" can be used to "emulate" a file archiver software in a web browser.

"In this phishing attack, you pose as a file archiver program (e.
g.
, WinRAR) in the browser and use a .zip domain to give it a more trustworthy appearance, according to information released last week by security researcher mr.d0x.

To put it simply, threat actors could elevate social engineering campaigns by using HTML and CSS to build a convincing-looking phishing landing page that imitates authentic file archive software. They could then host the page on a .zip domain.

When a file "contained" within the fake ZIP archive is clicked, a thief might use such cunning to direct users to a page that collects credentials in a potential attack scenario.

Another intriguing use case, according to mr.d0x, is listing a non-executable file and having the user click to start a download result in the download of an executable file. Imagine you have an invoice. A pdf file. This file will start the download of any file, including a .exe, when a user clicks on it.
".


Additionally, if a nonexistent .ZIP file is searched for in the Windows File Explorer search bar and the file name matches a real .zip domain, the nonexistent .ZIP file will open in the web browser.

The user would expect to see a ZIP file, so this is ideal for this scenario, according to the researcher. "Once the user does this, it will automatically launch the .zip domain, which has the template for a file archive and looks fairly official. ".

The change happened as Google unveiled eight brand-new top-level domains (TLDs), among them ". Zip" and "dot mov," which have sparked some worry that they might encourage phishing and other online scams.

This is due to the fact that .ZIP and .MOV are both valid file extension names, which may lead unwary users to visit a malicious website rather than open a file and trick them into unintentionally downloading malware.

According to Trend Micro, "ZIP files are frequently used as the first step in an attack chain, typically being downloaded after a user accesses a malicious URL or opens an email attachment.".

"With the introduction of the .zip TLD, malicious actors are likely to use ZIP-related URLs for downloading malware in addition to using ZIP archives as a payload.
".


It is anticipated that this will give actors acting in bad faith yet another phishing vector, despite the fact that opinions on the risk posed by domain name and file name confusion are decidedly divided.

Additionally, Group-IB, a cybersecurity company, reported that it found 3,677 unique phishing kits in 2022, a 25% increase from the year before.

The trend of using Telegram to gather stolen data is on the rise, nearly doubling from 5.6 percent in 2021 to 9.4 percent in 2022, and this is particularly interesting.

This is not all. Phishing attacks are also becoming more sophisticated, with cybercriminals concentrating on supplying the kits with detection evasion tools like the use of antibots and dynamic directories.

The Singapore-based company claimed that "phishing operators create random website folders that are only accessible by the recipient of a personalized phishing URL and cannot be accessed without the initial link.".

"This method enables phishers to avoid detection and blacklisting because the phishing content won't reveal itself. ".

A recent report from Perception Point claims that threat actors attempted 356 percent more advanced phishing attacks in 2022. Throughout the year, there were 87 percent more attacks overall.

A new wave of attacks that have been seen using hacked Microsoft 365 accounts and restricted-permission messages () serve as an example of how phishing schemes are still evolving. Users' credentials were harvested using rpmsg) encrypted emails.

According to Trustwave researchers Phil Hay and Rodel Mendrez, "The use of encrypted .rpmsg messages means that the phishing content of the message, including the URL links, are hidden from email scanning gateways.".

Another incident that Proofpoint has brought to light involves the potential abuse of Microsoft Teams' legitimate features to spread malware and phishing. This includes the use of meeting invitations that have been compromised and have had their default URLs replaced with malicious links.

Using Teams' API or user interface to weaponize existing links in sent messages is another strategy that attackers can use, provided they have access to a user's Teams token, according to the enterprise security firm.

"This could be achieved by simply swapping out links leading to trustworthy websites for links leading to dubious websites or malicious resources. ".

Offline

Board footer

Powered by FluxBB