Catches of the Month: Phishing Scams for June 2023

Welcome to our June 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.

This month, we look at a new phishing tactic that exploits the newly released ‘.zip’ website domain and analyse why there are quite so many cryptocurrency scams.

File Archive in the Browser scam exploiting ‘.zip’ domains

Google recently released 8 new top-level domains – the bits at the end of a website address such as ‘.com’, ‘.org’, ‘.ca’, and so on – and cyber security researchers are not happy.

That’s because two of the top-level domains share their name with common file type extensions: ‘.zip’ and ‘.mov’.

The researchers indicated that criminal hackers could exploit the way web addresses are displayed on emails, web posts and File Explorer to launch phishing attacks and malware campaigns.

Because ‘.zip’ and ‘.mov’ are now valid top-level domains, some platforms will convert any string of text referring to a file into a valid URL.

Cyber criminals, having spotted the potential for confusion, have started squatting on domains that could be mistaken for files.

For instance, security researcher mr.d0x has developed a phishing toolkit that lets criminal hackers create fake in-browser WinRAR instances and File Explorer Windows that are displayed on ‘.zip’ domains to trick users into thinking they are opening a ‘.zip’ file.

“With this phishing attack, you simulate a file archiver software (e.g. WinRAR) in the browser and use a .zip domain to make it appear more legitimate,” explains a new blog post by the researcher.

In a demonstration with Bleeping Computer, the toolkit was used to embed a fake WinRAR window directly in the browser when a ‘.zip’ domain is opened.

Source: Bleeping Computer

Although many experts have condemned Google for its carelessness in creating a new threat vector, it’s unlikely that cyber criminals will register thousands of domains to try and catch specific instances of people clicking a certain ‘.zip’ or ‘.mov’ domain name.

However, it only takes one mistake for someone to install malware and the entire network to be compromised.

For the time being, users can use the same techniques to stay safe as they would do with standard phishing scams. That means avoiding links or downloads from unknown senders, and checking that senders’ email addresses are genuine.

Crypto users given fresh warning about phishing

The cryptocurrency news site Cointelegraph published an article last week on the rise in phishing attacks in the crypto industry.

Eric Parker, the CEO and co-founder of the noncustodial wallet Giddy, told Cointelegraph, “Did someone reach out to you without you asking? That’s one of the biggest rules of thumb you can use.

“Customer service rarely, if ever, proactively reaches out to you, so you should always be suspicious of messages saying you need to take action on your account.

“Same idea with free money: if someone is messaging you because they want to give you free money, it’s likely, not real. Be wary of any message that feels too good to be true or gives you an immediate sense of urgency or fear to make you act quickly.”

The site notes that one of the most common pretexts for crypto scams is to impersonate an exchange or wallet provider with a bogus payment request.

Scammers might pose as a customer support representative and send emails containing a bogus link. Recipients are then asked to hand over their login credentials and other sensitive information.

Omri Lahav, the CEO and co-founder of Blockfence, told Cointelegraph, “It’s important to remember that if someone sends you a message or email unsolicited, they likely want something from you. These links and attachments can contain malware designed to steal your keys or gain access to your systems.”

He added: “Furthermore, they can redirect you to phishing websites. Always verify the sender’s identity and the email’s legitimacy to ensure safety. Avoid clicking on links directly; copy and paste the URL into your browser, checking carefully for any spelling discrepancies in the domain name.”

Why do crypto scams remain so popular?

Crypto scams feature more heavily than most other type of phishing in our catches of the month feature, and you might think that was unusual. Despite gaining plenty of mainstream interest, crypto trading still a relatively niche phenomenon – with about 4.2% of the global population owning cryptocurrency.

Moreover, you’d think that crypto users were among the more tech-savvy Internet users and therefore less likely to fall for scams. However, research suggests that not only is this not true but is in fact the opposite of the truth.

A 2017 report by Get Safe Online found that scams tend to be successful not because its victims are ignorant but because they are complacent.

The report split people into various age groups, and it found that those under the age of 25 were more than twice as likely to fall for a phishing scam as over-55s.

An obvious counter argument is that younger people typically use the Internet more, so they’re bound to get more phishing emails. However, the report states the opposite: only 36% of under-25s said they’d been targeted by a phishing scam, compared to 47% of over-55s.

Nonetheless, younger people’s tendency to browse the Internet more often does play a crucial role in why they’re more likely to fall for phishing scams.

It’s not just purely a question of volume of Internet use. There’s also the ‘it won’t happen to me’ factor: if you’re regularly online and happen not to be targeted by an attack, it’s easy to become complacent or downplay the risk of phishing.

That, combined with habitual Internet users’ desire to consume content quickly before moving on, explains why only 40% of under-25s said they “carefully read and re-read all emails”.

The bigger problem is younger people’s attitude to sharing information online. They are much more likely to post personal information on social media sites, blogs, vlogs, etc., and cyber criminals are taking advantage of these sources to piece together detailed information that can lead to incredibly authentic scams.

These trends don’t appear to have changed in the years since the report was published. Whether they’re young or not, crypto traders are generally among the more “terminally online” demographic and at a greater risk of scams.

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.