Month: May 2023

New .ZIP TLD Abused in File Archiver in the Browser Phishing Technique

A new file-archiver-in-the-browser phishing kit has been created that tricks victims into opening malicious zip files and downloading and installing malware on their devices.

The phishing kit takes advantage of the new .zip TLD domain that was released by Google this month along with 7 other new TLDs (.dad, .phd, .prof, .esq, .foo, .mov, and .nexus). According to Google, “.Zip is a secure domain for tying things together or moving really fast. Hosting content on a .zip domain means speed.” However, the new TLD is ripe for abuse and a phishing kit has already been created that takes advantage of this new TLD.

The problem with .zip domains is an attacker could easily create a new domain such as or, for use in phishing and malware distribution. For instance, a domain could be registered that mimics a legitimate file archiver, such as WinZip or WinRAR, and emails sent with clickable .zip links. would seem like a normal setup archive for installing a program, and the domain could be used to download a file containing malicious files.

This was recently demonstrated by a security researcher called Mr.d0x. He showed that a webpage on a registered .zip domain can be made to appear to be a regular WinRAR file using HTML/CSS. He also provided another example mimicking the Windows 11 File Explorer window. To make the scam more believable, the domain generates a fake antivirus popup that tells the user that the content of the .zip file has been scanned and found to contain no malware. Popups can also be generated on the site to make the scam even more realistic, as the popups do not show the address bar.

In this example, the webpage emulated a standard WinRAR file, which included two files – Invoice.pdf and installer.exe. The installer.exe file is naturally an executable file that will install the malware payload; however, the Invoice.pdf file is seemingly benign. This could be used to download an executable file, such as a file with a double extension – Invoice.pdf.exe. If the user has their device configured to hide known extensions, all they would see is invoice.pdf, and the file could easily be opened in the belief it is a harmless PDF file.

These new domains will certainly be used in phishing attacks, although there is an easy way to protect your business and that is to use a web filter such as WebTitan and simply block access to .zip domains. If a user attempts to visit such a domain, no connection will be made to the domain and instead, they will be directed to a local block page – No connection = no threat. If employees need access to specific .zip domains for business purposes, then those domains can be whitelisted through WebTitan to allow access.

You can install WebTitan on a free trial to see how easy it is to block access to specific TLDs, categories of websites that serve no business purpose, access to known malicious URLs, and risky file downloads, such as executable files that are commonly used to deliver malware (.exe, .js, .bat, .msi). Blocking these files can also help to control shadow IT – unauthorized software installations by employees that are unknown to the IT department.

For more information on WebTitan, contact the TitanHQ team today.

Phishing Simulations: Why You Should Be Testing Your Workforce!

Phishing is the most common vector used by cybercriminals to attack businesses and attacks have grown in sophistication to the point where no single cybersecurity solution is now effective at blocking all of these threats. Cybercriminals are constantly changing their tactics, techniques, and procedures to bypass cybersecurity solutions and fool end users and businesses now need to implement multiple cybersecurity solutions to counter the threat, such as spam filters, web filters, antivirus software, endpoint detection solutions, and multi-factor authentication. They also need to provide security awareness training to teach employees how to recognize and avoid phishing and other cybersecurity threats.

With all of these solutions in place, you will be well protected from phishing attacks; however, it is important to also conduct phishing simulations on your employees. Many businesses provide security awareness training during the onboarding process and annually thereafter but then fail to conduct phishing simulations.

Phishing simulations are proven to improve protection against phishing attacks, with TitanHQ’s data showing customers who regularly conduct phishing simulations can reduce susceptibility to phishing attempts by up to 80%. In this article, we provide some of the reasons why phishing simulations are such an important part of any cybersecurity strategy and why they are so effective at improving the security posture of a business.

What are Phishing Simulations?

Phishing simulations are phishing attempts conducted by businesses on their own workforce. Emails are sent that closely mirror the phishing attempts that are conducted by cybercriminals in real-world attacks, the only difference being a failure will not result in a costly network compromise and data breach. Phishing simulations are typically conducted by the IT department, which can create a simulation program for the entire workforce that is tailored to the types of phishing threats that employees are likely to encounter.

When a simulated email is opened and any action is taken by an employee, the actions are logged. These simulations usually run continuously throughout the year with each employee receiving one or more simulated emails at random times each month. The emails range from phishing attempts that should be very easy to identify, to much more sophisticated phishing attempts.

Why are Phishing Simulations Important?

If you provide security awareness training, how can you tell if that training has been effective and is actually reducing susceptibility to phishing attacks? You can conduct quizzes at the end of each training session, but they will not tell you if the training is being applied in the workplace. Employees will likely remember the points raised in training at the end of the training session but may forget them in a month or two. Phishing simulations provide valuable information about whether the training is working as they are likely to be received by employees when they are not thinking about security. The simulations therefore give a good indication of whether the training is working

Security awareness training costs a business money, as the training must be paid for and will take employees away from their jobs. That money is usually very well spent, but the board will likely want to see the return on investment. Phishing simulations provide that data. Conducting phishing simulations before training and regularly thereafter will give a clear picture of how the spending on training is benefiting the business in terms of reducing susceptibility to phishing attacks.

Phishing simulations are not a way of catching out employees. They are an important part of the training process. If a phishing simulation is failed, it just means that the training has not been effective for that person against a specific threat. The specific type of email that was not identified should generate a relevant training module about that threat, which should be provided at the point of the failure. If phishing simulations are not conducted, if a real threat is encountered, the employee would be likely to respond in the same way and fail to identify it, resulting in an email account compromise. When an employee fails a simulation, they should be automatically scheduled to receive more simulated emails, to help them improve their skills at detecting phishing.

Phishing simulations give employees practice at responding to phishing and help them develop ‘muscle memory.’ If an employee never gets any practice after the training session they are more likely to forget their training. Phishing simulations keep security fresh in the mind and are an important way of developing a security culture, where employees always stop and think before taking an action that could lead to a network compromise. They also help to condition the workforce to report any suspicious emails, which is vital for the IT security team.

Cybersecurity Solutions from TitanHQ

TitanHQ can help businesses improve their defenses against phishing and malware through three cybersecurity solutions and adopt a defense-in-depth strategy – SpamTitan Email Security, WebTitan DNS Filtering, and SafeTitan Security Awareness Training and Phishing Simulation. For more information on these solutions and to start conducting phishing simulations, give the TitanHQ team a call today. All TitanHQ solutions are available on a free trial to allow you to evaluate their effectiveness in your own environment before deciding on a purchase.

Malicious Ads and Phishing Emails Used to Distribute RomCom Malware

RomCom malware is being distributed via a range of websites that claim to offer downloads of popular software solutions such as AstraChat, GIMP, Go To Meeting, and ChatGPT, and traffic is being sent to those websites by malicious Google Ads and phishing emails.

RomCom malware is a remote access Trojan that serves as a backdoor into infected systems that has been previously associated with Cuba ransomware, although it is unclear whether the two have been developed by the same threat actor. Palo Alto Networks identified attacks conducted by a Cuba ransomware affiliate in August 2022, who is also known to use RomCom malware. RomCom malware has been used in attacks on targets in Ukraine, which suggest that the attacks are not financially motivated, although attacks are not confined to Ukraine and the malware has been used in North and South America, Europe, and the Philippines.

In the fall of 2022, RomCom malware was being distributed via a network of websites that impersonated legitimate software such as KeePass Password Manager and SolarWinds Network Performance Monitor (NPM), and this year more websites have been created to distribute the malware that claim to offer legitimate software downloads. The number of impersonated brands has been steadily growing, with new websites created as sites are identified as malicious and taken offline.

The threat actor behind the RomCom malware distribution has been using Google Ads to drive traffic to the websites, although phishing emails are also being used. If a user attempts to download software from these websites, they will receive an MSI installer that impersonates the app offered on the website. The installer includes a malicious DLL file that will deliver RomCom malware and other malicious payloads. Those additional payloads include a data exfiltration tool, an instant chat messenger stealer, a cryptocurrency wallet stealer, FTP credential stealer, and a tool that can steal cookies from web browsers.

The malware may be used to provide initial access to ransomware gangs but many of the attacks identified so far in 2023 appear to be geopolitically motivated. To reduce the risk of attacks, organizations should implement cybersecurity solutions to block emails with malicious attachments and URLs, such as SpamTitanPlus. SpamTitanPlus offers faster detection of malicious URLs than any of the current market-leading solutions, and includes AV controls and sandboxing for detecting zero-day malware threats.

Steps should also be taken to block access to the malicious websites used to distribute the malware, such as the Webtitan DNS Filter, which will block access to known malicious websites and can be configured to block downloads of executable files, such as MSI installers.