A new phishing kit called “File Archivers in the Browser” has been discovered, exploiting ZIP domains to display fake WinRAR or Windows File Explorer windows in web browsers. Developed by security researcher mr.d0x, this phishing toolkit aims to deceive users into thinking they are interacting with legitimate file archiving software. By utilizing .zip domains, the toolkit creates convincing pop-up windows within the browser, tricking users into providing credentials or downloading malware.
The toolkit’s primary purpose is to create a sense of authenticity by simulating well-known file archiver software, such as WinRAR. When a user opens a .zip domain, the toolkit embeds a fake WinRAR or File Explorer window directly in the browser, making it appear as though they are accessing files within a ZIP archive. The windows can be customized to remove the address bar and scrollbar, further enhancing the illusion of a legitimate archiving tool.
This phishing kit poses a significant risk as it can be used for both credential theft and malware delivery. For instance, when a user double-clicks on a file displayed in the fake WinRAR window, they could be redirected to a page that requests their login credentials to supposedly view the file. Additionally, malware can be delivered by disguising it as a different file type, such as a PDF file that actually downloads an executable file when clicked. Windows’ default behavior of not displaying file extensions by default makes it easier to trick users into unknowingly executing malicious files.
This technique highlights the potential dangers of ZIP domains and the need for increased awareness and caution when interacting with files and domains that appear to be associated with file archiving software. Security measures, such as displaying file extensions by default and verifying the legitimacy of downloaded files, can help mitigate the risks associated with these types of phishing attacks.
