New Threat: Hackers Register ‘.ZIP’ Domains to Perform Phishing Attacks
Fortinet experts told how to protect yourself from the traps of intruders.
security researchers from FortiGuard Labs discovered that attackers have discovered a new way to deceive Internet users – they register domains with the “.ZIP” extension, which is commonly used to save compressed files.
TLD-domains or “top-level domains” are the end segment of a domain name, such as “.COM”, “.ORG” or “.NET”, etc. Over time, hundreds of so-called “generic TLDs” or “gTLDs” have emerged that offer individual addresses for organizations and users that match their brand, such as “Z.cash”, “X.team” or “Vacation.rentals”.
According to report FortiGuard, Generic TLDs have opened up new avenues for attackers to exploit, and the availability of “.ZIP” domains for purchase has greatly expanded the possibilities of exploitation. The advent of gTLDs has already made it difficult to detect phishing attacks. Now adding domain “.ZIP” creates confusion among inexperienced users.
For example, the domain “businesscentral[.]zip”, which appeared on May 15, immediately downloaded a malicious file called “file.exe” to the visitor’s computer. Another domain, “chatgpt[.]zip”, which was registered on May 20, offered to download an archive with the latest version of the ChatGPT chat bot, but, of course, the archive contained a malicious file.
Funny note from hackers “caught” your victim
Another domain, “assignment[.]zip”, redirected users to empty archives, and the domain “voorbeeld[.]zip” simply did not contain any content. The researchers note that no malicious activity has yet been recorded behind these domains, but they can be used for this in the future.
One of the real examples of a threat is the “42[.]zip”, which also appeared on the Web on May 15. It immediately downloads a malicious file, which is the so-called “ZIP bomb”, leading to the unpacking of a huge amount of data that takes up all the available space on the victim’s computer.
To protect against such attacks, FortiGuard Labs advises users to block “.ZIP” domains on their firewalls, use web filters and browser extensions to check sites, and always look at URLs before visiting them. Especially if they were sent by an outside user.
You also need to regularly update your antivirus software, operating systems, browsers, and other installed software to close any potential security holes in your computer.