Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why Spammers Love ZIP Files and How You Need to Stay Safe

//
I suppose most folks will be getting unsolicited spam to try to get your details. I’m getting financial questions and attachments with a .zip extension. What is .zip?

The ZIP file is the spammer’s – or rather the phisher’s – best friend.

ZIP files are everywhere, and have a lot of very valid uses. Unfortunately with that ubiquity comes the potential for abuse.

And that’s exactly what spammers like to do.

Become a Patron of Ask Leo! and go ad-free!

Just what is a ZIP file, anyway?

A ZIP file is a container for other files.

At their most basic, ZIP files solve two problems in a very simple way:

  • By bundling multiple files, and even folders, into a single container file, distribution, archival and organization of large numbers of files becomes more simple. Rather than sending 50 separate documents as 50 separate files, you can instead create a ZIP file that contains them all, and send that single file.
  • ZIP files are also compressed. That means that even when a ZIP file contains only a single file, it’s very possible that the ZIP file will be smaller than the file it contains. Naturally it varies dramatically based on the compressibility of the original files.

Those two features: bundling multiple files into one, and compressing them as it does so, make the ZIP file format one of the most common ways that files and collections of files are shared around the internet. Add optional password-based encryption, and it gets even better.

It’s also one of the oldest archive and compression formats still in use, dating back to 1989.1

ZipZIP is everywhere

One of the things that makes ZIP files so appealing is that support for creating and opening them (“zipping” and “unzipping”, typically) is built into every current operating system. Windows Explorer understands ZIP files, and Mac and Linux both come with the “zip” and “unzip” command line tools.

Given that ubiquity, it’s very safe for a software vendor – or anyone for that matter – to assume that if they make something available as a ZIP file, it will be understood by the recipient.

ZIP as obfuscation

Knowing you have a ZIP file doesn’t really tell you what you have. You have to look inside the file to understand what files have been zipped inside. As a result, ZIP files are often used to hide or at least obscure their contents.

Here’s an example: many email systems will not allow attachments of files that end in “.exe”. In Windows, .exe files are programs. When you double click on a .exe file, that’s the instruction to Windows to run whatever program that .exe file happens to be. Since malware is also often distributed as a program file, email providers simply prevent all programs from being emailed in this fashion. The risk of someone opening the attachment to see what it is, and inadvertently running the malicious program it turns out to be, is simply too high.

ZIP files, however, are not blocked. As I said, ZIP files are significantly useful for many, many things, not the least of which is transferring collections of documents from one person to another, by email.

So one approach to sending a .exe file from one person to another via email is to zip it first, email the resulting .zip file, and then have the recipient unzip on their end.

Hackers and phisher’s love that.

ZIP as phishing bait

You get an email from your bank.

The email says there’s an issue with your account, and to please open the attached file for more information.

The attached file is a ZIP file.

Chances are, to quote the over-quoted Admiral Ackbar: It’s a trap!

Whomever sent you that email probably used the ZIP file format to bypass anti-malware scans and other restrictions to deliver you a malicious package. If you open the zip file, you’ll probably find what appears to be a document. Double click on that document and you could instead be running a program that delivers malware to your machine.

I recommend you not do that. 🙂

When to trust ZIP files

Banks, governments, delivery services, the postal service and almost all other companies should simply never send you a ZIP file. Either the information they want to get to you will be in the body of the mail, or they’ll direct you to log in to your account with their service directly (ideally without clicking on a link), where you’ll find the important information.

Naturally there are exceptions. If you purchase a software download, I’ve seen it delivered via email as a ZIP file, though more commonly it’s a direct download from the website on which you purchased it.

But ultimately if you receive unexpected email, particularly from some kind of “official looking” source, and it has a ZIP file attached, be very, very wary. I would even go so far as to say never open unexpected ZIP files until or unless you can absolutely confirm that they are legit by some other means.

ZIP files are exceptionally useful, but because spammers and scammers have taken to using them to trick you into installing malware, it’s worth always being sure of exactly where they come from.

Footnotes & references

1: Ref: Zip (file format) – Wikipedia

38 comments on “Why Spammers Love ZIP Files and How You Need to Stay Safe”

  1. Most “archive files” (e.g. ZIP, 7-zip) can be scanned with anti-virus programs and other anti-malware tools (e.g. Malwarebytes). I heartily recommend doing so, even when you THINK you know what the archive (ZIP) file is.

        • That depends on your anti-malware tool. Some have an option to scan inside archives. Those ones will scan a zip file by actually scanning the contents of the zip file without you having to unzip the files.

    • Newly minted viruses in emails may not have been picked up by the AV companies yet, and there are always delays in getting the newest definitions out.
      Example: I’ve gotten several of these, obvious phishes with zip attachments holding exe files, usually with double extensions, e.g. statement.pdf.exe. (If you don’t display file extensions you could be fooled.) They often even come with an Adobe Reader icon; again, trying to fool you that it’s just a innocent PDF.
      With that pedigree, I know for sure it was virus – but decided to check it anyway. Surprise, all the usual virus checks show negative. So off to totalvirus.com it goes; this is a site that tests files against 50-some antivirus programs. On the first day, only 5 of the 50 tests said virus, 3 days later 20 of them said so, and a week later, 45 of them.
      Bottom line: if it waddles like a duck, looks like a duck and quacks like a duck .. it’s a duck. Even if it says it’s a kitten video.

      • “If you don’t display file extensions you could be fooled”

        If you don’t display file extensions then wouldn’t seeing suddenly the PDF extension show up (as only the “.exe” would be hidden) tip you off?

        • IF, and only if, you were paying attention and thought about it. In my experience most people (rightfully) are thinking about other things.

  2. Sometimes an email with a zip file or other unknown, and possibly unwanted files, such as pictures or links, may be spoofed as coming from someone you do know and trust. I have sent a separate email back to the sender, to verify that they did indeed send it to me, and why before opeinng it. Once I get their answer then I know what to do with the files.

  3. One of the first benefits to a compressed (single) file relates to disk cluster size. If you write 100 1byte files into an OS with a 1K cluster size (I am just making these numbers up as I go) the OS will happily eat 100,000 clusters. If you write 100 1byte files into one Zip file and save that, the OS will use one 1K cluster. ( I hope my math is correct. )

    • Many files shorter than about 200 bytes will very probably get inlined in the folder itself. In fact, under Windows using NTFS, your shortcuts ,*.lnk files, are all inlined. All modern file systems actualy support inlining, but FAT did not.
      This mean that those short files don’t actualy have any allocated cluster, but use some space within the folder itself.

  4. GMail will neither allow you to send or receive .zip files which contain .exe or other executable files. I believe .rar bypasses this.

      • If you encrypt the files using the zipping program, the file names will still be visible to Gmail or anyone opening the .zip file. If you encrypt the .zip file after it has been zipped, even by using zip encryption, this would obscure the file names.

  5. Theres also some email that will tell you a password to an attached zip file, which you have to input, to open. Zip files with passwords cannot be scanned by anti-malware as they are considered encrypted.

    • Not completely true. The contents of the password protected zipped files cannot be read, but the listing of files that are within the zip file CAN be seen.

  6. > The contents of the password protected zipped files cannot be read, but the listing of files that are within the zip file CAN be seen.
    Depending on the program used: 7-zip, for example, offers the option to encrypt file names.

  7. I guess you have seen it before, but…

    REAL programmers type C:/ copy con >MyProg.zip

    Yeah, I know… few will understand.. 😉

  8. IF an agency OR someone you know NEEDS to send you a ZIP file, FOR ANY REASON, they should password protect the ZIP file and provide you with the KEY over the phone, NEVER provide KEYS by email! With 7zip the following key/password examples (in quotes) are all stronge, legit and acceptable: “SweeT cHerry w1ne t01let w@teR”, “porcupineapples”, “Paperclip 0n 1c3” etc they really don’t need to be all that complicated to be secure. Do Not Use any of these examples lol.

    Working in the medical and other sensitive fields I’ve set up keys that are changed monthly, at minimum, or weekly to provide the best security. No password, it’s deleted!

  9. I received a zip file in an email yesterday, purporting to contain e-tickets for a show in Bournemouth in December for which I had apparently already paid, using a credit card with the last 4 digits shown, which didn’t match any of my cards.
    I saved the file to disc and scanned it with McAfee, which didn’t find any problems, but I shredded it anyway.
    Today’s Telegraph ran a story about this, saying that if the attachment was opened it would install a virus.
    Is there really any risk in opening a zip file to see the contents? Is it possible for the zip file itself to actually install the virus if opened? I would have thought not, but could the .zip extension itself be a spoof?

  10. Yes, but when checking zipped files received for malware or viruses with Malwarebytes, SuperAntiSpyware or your anti-virus program, which do you check? The zipped folder itself or the contents after unzipping it???

    • Both. You scan the .zip, just in case it’s not really a .zip file, and you scan the contents of the .zip file, in case the contents contain malware.

      Some anti-malware programs give you an option to scan inside archives. This option will scan both the .zip and the contents at the same time.

  11. If your current AV solution can’t look into and scan inside of zip files then it’s time to get another AV solution
    the only exception is encrypted zip files which most if not all AV still cannot scan
    you also want an AV that can look inside of stacked / nested zip files,
    > that’s file(s) inside of a zip, inside of a zip, inside of a zip, inside of a zip, inside of a zip …

    also encrypted zip files are a quite a bit less useful to the malware distributor, because they also have to supply the password. adding extra steps and complexity for the users they are trying to exploit, and sometimes windows exploder won’t let you take the files out of a password encrypted zip file
    which then requires using an actual zip file utility or distribution of a self extracting zip.
    case in point:
    > I sent a friend a zip file that contained the files I recovered for them from their old PC they gave me before they moved away
    I used winzip 16 with 256-bit AES encryption and a reasonably sized complex password to encrypt the zip file
    I also made a self extracting zip file using of the same archive which also required the password
    I had to explain 3 times how to get the files out of the encrypted zip using the password supplied
    but in the end they had to use the self extracting zip with the supplied password because windows exploder wouldn’t accept the password for the encrypted zip file

    The best practice with financial institutions, banks, credit cards, shipping companies (DHL, UPS) etc. is never supply them your email address
    every time I go in to the bank they try to get my email address and I tell them No!
    for the following reason:
    when you get an email supposedly from the financial institution, you know immediately it’s fake because they don’t have your email address
    with banks etc. if there is a problem with your account they are supposed to freeze the account / halt any irregular transactions, call you by phone and send you letter mail

    if a bank insists they have my email address to continue using the bank, I will close the account and cease to do business there

    • It’s also useful to minimize the number of banks you use. Because I deal with two banks, I always laugh when I get emails from other banks. It’s easy to tell the fakes apart when 10 emails are from banks you don’t deal with and 1 is. And my banks never email me anyways, unless it’s to tell me that I should log in to my account (no link in the email) to read an important message.

  12. Going back to the original question, I know exactly what was meant by “I’m getting financial questions and attachments with a .zip extension” as I have been getting two or three of these a week over the summer. The last one claimed to come from “Superior of Missouri Department of Revenue” and the subject was “Unpaid taxes. Notice #126147”. Like the others, a small zip file of about 60KB was attached; this one was called “Notice_8.04.2014.xls.zip”, so as described above it was masquerading as a spreadsheet. Others claim to be invoices, bills, etc.

    I scanned the attachment online with Virus Total, and 39/51 scans detected malware, generally a Trojan downloader of some sort. It is a bit disappointing that Hotmail is letting so many of these through, given that it does scan messages for viruses. I have had one or two containing infected macros for Word documents, indicating the value of not allowing MS Word to open macros from the Web without permission.

  13. As I noted in a reply above, scanning attachments in zip files should *never* be one’s first line of defense. If it’s a new virus (and email is a great way to get new viruses in circulation quickly) your anti-virus will not flag it. To be safe(r) just say no and don’t open .zip files in emails.

  14. Another trick that I’ve recently seen in malware-bearing .zip files (attached to emails): the .zip file contains 2 files; one is the malware program (probably between 10 kB and 50 kB in size) but renamed from something.exe to something.dat, and the other is a batch (name.bat) file (contents only a few tens of bytes) that contains commands to rename the file back to something.exe and then execute it.

  15. What can I do if I opened a .zip file with a protected password from a phishing email? I did a search on what my next steps are to protect myself after opening a .zip file, but I can’t find one. They all say “DO NOT OPEN IT.” But the problem is I already did. What do I do now?

  16. No A.V. scanner truly “scans inside of zip files”. They all have to be temporarily extracted to memory to scan the true string of bits.
    You have to quickly “re-build the house” from a pile of bricks to catch someone hiding in the bedroom closet.

  17. Our computer network was infected with the Dyre virus/trojan. It was sent as an attached zip file. Inside the zip file was a .scr file. How do you know if you are infected by simply opening the .zip file or if you had to open the .scr file? Our IT people are telling us if we opened the zip file we are infected, but I think that is just them pulling out the hammer because they really don’t know. I opened the zip, saw the scr attachment, and then promptly deleted it. How would you proceed. Is there a good free scanner out there that can tell me if I’m a ‘carrier’?

    • Generally just unzipping a file with a .scr extension shouldn’t cause it to execute.
      For those who don’t know a .scr is a screensaver file. That might sound harmless, but it is functionally identical to a .exe file and the essential difference is the a .scr file is an executable file which lets the user know that it is expected to be used as a screensaver. It’s not uncommon for a virus to be disguised with a .scr extension to fool people into running it.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.