Phishers are using a new technique called “file archiver in the browser” to trick victims. They create a phishing landing page that looks like legitimate file archiver software using HTML and CSS. The landing page is hosted on a .ZIP domain, making it appear more legitimate. Victims are redirected to a credential harvesting page when they click on a file within the fake ZIP archive.
The technique can also be used to download executable files instead of the expected non-executable files. Searching for a non-existent .ZIP file in the Windows File Explorer can open a malicious website if the file name matches a legitimate .ZIP domain. Google introduced new top-level domains (TLDs), including “.zip” and “.mov,” which could be exploited for phishing.
ZIP files are often used in the initial stages of an attack chain and can be used to download malware. The use of phishing kits, including those utilizing Telegram for data collection, has increased. Phishing attacks are becoming more sophisticated, with techniques like antibots and dynamic directories to evade detection.
Phising simulations: https://phishing.expert