Phishing attacks got a little more interesting last year with the addition of.zip as a domain name. Attackers started using it in phishing campaigns, playing on a user's assumption that they were downloading the popular archive file. And how would you tell the difference at a glance, when the URL looked something like "https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip"? Because of Unicode support and the ability to include basic authentication in URLs, attackers can use characters like U+2044 (⁄) and U+2215 (∕) and the "@"" sign to craft doppelganger URLs that look like legitimate ones and may trick an unsuspecting user. In this week's Threat SnapShot, we'll take a closer look at how attackers have used the.zip domain for phishing, as well as detection and hunting strategies you can use to keep your organization safe.

References:

• https://www.fortinet.com/blog/industry-trends/threat-actors-add-zip-domains-to-phishing-arsenals
• https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
• https://redcanary.com/blog/google-zip-domains/

SnapAttack Content:

• https://app.snapattack.com/collection/7a17a2c4-c3fe-4f5f-8da7-4d6ac85c9d88 - Collection: Phishing with the.zip TLD | Threat SnapShot
• https://app.snapattack.com/threat/7b09bd48-a8ff-bba4-d9fe-5cdf01548aff - Threat: ZIP Top Level Domain Abuse - Phishing
• https://app.snapattack.com/detection/a18bb513-f91d-43d6-a3f8-9729e77e22cc - Detection: Download From Suspicious TLD - Whitelist
• https://app.snapattack.com/detection/47888062-ee50-4280-9f89-88b27dfa3f92 - Detection: Download From Suspicious TLD - Blacklist
• https://app.snapattack.com/detection/cc22c8bf-2a12-4433-b45b-e6ac9b12ee25 - Detection: Connection to Zip TLD
• https://app.snapattack.com/detection/793ce14c-f3a2-49dd-a658-6d6e663428e6 - Detection: Possible Zip TLD Abuse (Zeek)
• https://app.snapattack.com/detection/321932a3-0316-4301-976c-ec868d51947c - Detection: Potentially Suspicious File Download From ZIP TLD