Attackers have been leveraging the new "file archive in the browser" phishing
technique that enables the creation of realistic phishing pages masquerading as legitimate file archive software, with hosting on a .ZIP domain further establishing the legitimacy of the scheme, reports The Hacker News
Such a technique could be leveraged to facilitate credential harvesting, according to a report from security researcher mr.d0x.
"Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file. Let's say you have an 'invoice.pdf' file. When a user clicks on this file, it will initiate the download of a .exe or any other file," said mr.d0x.
Phishing-related concerns have been raised by Google's introduction of .ZIP and .MOV among its eight new top-level domains, with Trend Micro researchers noting the prevalence of ZIP file use in initial attack stages.
"Beyond ZIP archives being used as a payload, it's also likely that malicious actors will use ZIP-related URLs for downloading malware with the introduction of the .zip TLD," said Trend Micro.