Page 147 - Cyber Defense eMagazine September 2023
P. 147
browsers may associate and autolink a .zip file with the same name to an actor-owned website,
unknowingly leading the user to a malicious destination.
TLDs can also be used in context with the remainder of a URL to convince a victim they are clicking on
a link associated with a financial institution, retail organization, or any other host of legitimate websites.
New Generic TLDs (gTLDs) that use familiar terms are often registered by cybercriminals to mislead
victims with lookalike domain attacks. A lookalike domain is dynamic, and can be used to target a brand
with Business Email Compromise scams, credential phishing sites, social media posts or advertisements,
and more.
.ZIP Attack Example 1
In the attack below, the cybercriminal registered a .zip lookalike domain redirecting from a large social
media organization to a third-party, actor-owned website. In addition to using the .zip TLD, the domain
uses HTTPS, the organization’s brand name, and the language “business-appeal” to convince the victim
of its legitimacy.
Domain: hxxps://xxx.business-appeal.zip/
ISP: NameCheap
.ZIP Attack Example 2
In the second campaign, the cybercriminal used a .zip lookalike domain to send the victim to a credential
theft phishing site. In addition to using .zip, the domain includes language associated with a known
application available through the targeted brand. The cybercriminal also registered an SSL certificate for
the domain in an effort to further enhance the appearance of legitimacy.
Cyber Defense eMagazine – September 2023 Edition 147
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.