Skip to content

Google’s Zip domains are already being abused for phishing attacks

  • by
  • 3 min read

A new phishing kit dubbed “File Archivers in the Browser” is abusing Zip domains that Google started offering earlier in May to show fake Winrar or Windows File Explorer windows in the victim’s browser to convince them to launch malicious files.

Google announced eight new domains including .dad, .phd, .prof, .esq, .foo, .zip, .mov and .nexus on May 3. Since their release, it’s been heavily debated that some of these domains, like .zip and .mov could be used to trick users into opening malicious websites that could compromise their machines. This newly discovered toolkit is one of the first examples we’ve seen of this theory coming to fruition. 

The toolkit also shows a fake security prompt to assuring victims. | Source: mr.dox

The main danger here is that as these zip domains become more popular, string names like ‘download.zip’ will automatically be parsed into a link. This link then redirects user to another malicious page. However, just like any other phishing campaign, the first part of the attack is to convince the user to open the link in the first place.

As for the exploit itself, security researcher mr.dox has come up with a set of files that’ll automatically create a fake in-browser Winrar instance or File Explorer window that can then be shown on these .zip domains, tricking the user into thinking that they’re opening a zip file. To give these fake windows a more convincing appearance, the page even shows a prompt that scans the files and shows no threats. 

The toolkit isn’t foolproof though as there’s only so much you can remove from a browser window. While it still shows the URL bar at the top, it’s convincing enough to trick at least some novice or uninformed users into thinking they’re viewing a Winrar archive or a File Explorer window. The latter is still under development and missing a few things, however. 

The toolkit can be used for credential harvesting by tricking victims. | Source: mr.dox

The toolkit can be used for credential theft and malware delivery. Users can be tricked into entering credentials to view a file or have malware delivered to their systems by displaying a fake PDF file that in turn downloads an executable of the same name when clicked. Since Windows doesn’t show file extensions by default, it’s likely that unsuspecting victims will end up launching a malicious executable instead of a PDF file. 

In the News: Nvidia is bringing generative AI to games with ACE

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>