Hackers unleash
.zip domains

Phishing has been a digital thorn in the side of cybersecurity for over a decade. These unsolicited, cleverly masked requests are the wolf in sheep’s clothing of the digital world. They are always looming, waiting for some unsuspecting employee to click on a malicious link or attachment that can send your company into a crisis.

In the ever-evolving cybersecurity landscape, understanding the phishing threat has become more critical than ever. It is recognised as a strategic technique under the Initial Access tactic in the MITRE ATT&CK framework. The FortiGuard Labs Global Threat Landscape Report for the second half of 2022 identifies phishing as the primary attack method being used to achieve initial access in a network breach, thereby laying the groundwork for further stages of an attack, as does the 2023 Global Ransomware Research Report.

One technique used by threat actors is to disguise their phishing attacks with creative names that look legitimate to the casual reader but that link to malicious sites. Let’s look into a new threat resulting from the addition of a new Top-Level Domain (TLD), ‘.ZIP’.

Phishers Are Expanding Their Reach

TLDs are the final segment of a domain name. They traditionally follow the format of ‘.COM,’ ‘.NET,’ ‘.ORG,’ and so forth. They play a crucial role in the structure of the web, representing the highest level of domain names in the internet’s hierarchical Domain Name System (DNS). However, as the internet landscape has evolved, hundreds of new TLD options, referred to as generic Top-Level Domains (gTLDs), have been introduced to give organisations and individuals a more personalised and specific web address. But while these new gTLDs provide increased opportunities for branding and availability, they also present new opportunities for misuse by phishing attackers, which we must all be aware of.

Cybercriminals are always on the lookout for new opportunities and techniques to exploit, and the recent availability of ‘.ZIP’ domains for public purchase has unfortunately created such an opportunity. While the pool of new gTLDs has made phishing detection more difficult, adding .ZIP is especially noteworthy given its more common use as a file extension for compressed files. This new domain extension will likely create confusion, especially among non-technical users, giving phishers a new and potentially effective tool to add to their attack arsenals.

In phishing campaigns, a common tactic is to make malicious websites appear as legitimate as possible. Using a .ZIP domain can add an air of authenticity to a fraudulent site. A user may mistake the .ZIP in the URL for a file extension, believing they are downloading a file rather than visiting a malicious website.

Possible mitigation strategies:

There are several strategies and best practices to consider to protect your organisation and minimise the impact of threat actors looking to exploit this new attack vector:

1. Block .zip domains at the firewall level with web filtering services: Firewalls can be configured to block all traffic associated with ‘.zip’ domains. This blanket strategy can effectively prevent network users from accessing these sites, minimising the risk of encountering malicious content. However, it’s important to note that this approach may also block legitimate sites using the ‘.zip’ TLD.
2. Leverage Browser Extensions or Web Filters: Using browser extensions or web filters that can analyse and rate the safety of websites can also be helpful. Some of these tools can warn users when they’re about to enter a potentially malicious website.
3. Education and Awareness: As always, one of the best mitigation techniques is to educate users about evolving risks. Teach them about the potential misuse of ‘.zip’ domains and how to double-check URLs before clicking, especially when they come from an unsolicited source.
4. Email Filtering: Implement advanced email filtering to block emails containing suspicious links. This can significantly reduce the risk of phishing attacks via email.
5. Regular Software Updates: Ensure that all software, including antivirus programs, web browsers, and operating systems, are updated. Regular updates often include patches for the latest security vulnerabilities.
6. Phishing Simulation and Training: Conduct regular phishing simulations to test user awareness and provide training to fill in knowledge gaps.

Remember, there is no one-size-fits-all approach to cybersecurity. The most effective defence often involves a combination of these and other strategies tailored to each organisation’s (or individual’s) specific needs and risks.

*Jonas Walker, is director of threat intelligence at FortiGuard Labs, and Fred Gutierrez is senior security engineer at Fortinet.