Phishing has plagued cybersecurity for over a decade, with cleverly disguised requests posing a significant threat in the digital world. These deceptive tactics constantly loom, waiting for unsuspecting employees to fall prey to malicious links or attachments that can thrust a company into crisis.
In the ever-changing cybersecurity landscape, understanding the gravity of the phishing threat has become more critical than ever. It has been recognized as a strategic technique in the Initial Access tactic within the MITRE ATT&CK framework. Both the FortiGuard Labs Global Threat Landscape Report for the second half of 2022 and the 2023 Global Ransomware Research Report identify phishing as the primary attack method used for initial access in network breaches, paving the way for further stages of an attack.
Threat actors add .zip domains to their Phishing arsenals
Threat actors utilize various techniques, including disguising their phishing attacks with creative names that appear legitimate but lead to malicious sites. A new threat has emerged due to the introduction of a new Top-Level Domain (TLD), ‘ .ZIP’.
Phishers Are Expanding Their Reach
TLDs form the final segment of a domain name, traditionally seen in formats like ‘.COM,’ ‘.NET,’ and ‘.ORG.’ With the addition of hundreds of new TLD options known as generic Top-Level Domains (gTLDs), the internet’s structure has evolved, offering more personalized and specific web addresses. However, these new gTLDs also present opportunities for misuse by phishing attackers, requiring awareness and vigilance.
One such misuse has arisen with the availability of ‘.ZIP’ domains for public purchase. This new domain extension has raised concerns due to its common use as a file extension for compressed files. Phishers can exploit this confusion, making it appear authentic while tricking users into accessing malicious websites.
Possible mitigation strategies:
Mitigation strategies to safeguard organizations and minimize the impact of this new attack vector include:
1. Blocking .zip domains at the firewall level with web filtering services to prevent network users from accessing potentially malicious sites, though legitimate sites using the ‘.zip’ TLD may also be affected.
2. Leveraging Browser Extensions or Web Filters that analyze and rate website safety to warn users when encountering potentially malicious sites.
3. Conducting education and awareness campaigns to educate users about evolving risks, especially regarding the potential misuse of ‘.zip’ domains and the importance of double-checking URLs before clicking on unsolicited sources.
4. Implementing advanced email filtering to block suspicious links, significantly reducing the risk of phishing attacks via email.
5. Ensuring regular software updates, including antivirus programs, web browsers, and operating systems, to address the latest security vulnerabilities.
6. Conduct regular phishing simulations and training to test user awareness and provide knowledge to combat phishing attempts effectively.
By Jonas Walker, Director of Threat Intelligence, FortiGuard Labs, and Fred Gutierrez, Senior Security Engineer, Fortinet