The attacker posts a message to a forum, chatroom, etc. like:
Download: 2024YourCompanySalaryData.zip
When the user clicks "2024YourCompanySalaryData.zip", it is actually a domain name, and loads that website. This website then asks you to enter your corp credentials, or executes a 0-day on the victim's browser, etc.
The forum doesn't need to allow file downloads (i.e. a real .zip might not even work), and even if it does, client or server side virus scanning doesn't have a .zip to inspect.
The user is less wary of phishing, having never seen the .zip TLD. They assume they are downloading a file.
Thanks. I don't really see how that's worse than today, where a bad actor can do exactly the same thing in a forum post. Typically the post shows the text you enter, but can go to any URL.
In terms of the user going to a site instead of a zip file: If a user is willing to unpack and run a random file he downloaded and give it credentials to something... what's the difference? Not being argumentative, but this seems like a stretch.
The difference is that many forums or chat programs will automatically linkify valid hostnames/URLs.
Now "foo.zip" is a valid URL.
You could have a forum or chat program that you think is quite safe, since it doesn't allow file uploads, and doesn't allow arbitrary link text, and this would upend that.
An example:
The attacker posts a message to a forum, chatroom, etc. like:
Download: 2024YourCompanySalaryData.zip
When the user clicks "2024YourCompanySalaryData.zip", it is actually a domain name, and loads that website. This website then asks you to enter your corp credentials, or executes a 0-day on the victim's browser, etc.
The forum doesn't need to allow file downloads (i.e. a real .zip might not even work), and even if it does, client or server side virus scanning doesn't have a .zip to inspect.
The user is less wary of phishing, having never seen the .zip TLD. They assume they are downloading a file.
https://blog.talosintelligence.com/zip-tld-information-leak/