ZIP files are incredibly useful for compressing files and containing collections of files. Unfortunately they’re also useful to hackers, spammers and scammers.

I suppose most folks will be getting unsolicited spam to try to get your details. I’m getting financial questions and attachments with a .zip extension. What is .zip?
The ZIP file is the spammer’s – or rather the phisher’s – best friend.

ZIP files are everywhere, and have a lot of very valid uses. Unfortunately with that ubiquity comes the potential for abuse.

And that’s exactly what spammers like to do.

Just what is a ZIP file, anyway?

A ZIP file is a container for other files.

At their most basic, ZIP files solve two problems in a very simple way:

  • By bundling multiple files, and even folders, into a single container file, distribution, archival and organization of large numbers of files becomes more simple. Rather than sending 50 separate documents as 50 separate files, you can instead create a ZIP file that contains them all, and send that single file.
  • ZIP files are also compressed. That means that even when a ZIP file contains only a single file, it’s very possible that the ZIP file will be smaller than the file it contains. Naturally it varies dramatically based on the compressibility of the original files.

Those two features: bundling multiple files into one, and compressing them as it does so, make the ZIP file format one of the most common ways that files and collections of files are shared around the internet. Add optional password-based encryption, and it gets even better.

It’s also one of the oldest archive and compression formats still in use, dating back to 1989.1

ZipZIP is everywhere

One of the things that makes ZIP files so appealing is that support for creating and opening them (“zipping” and “unzipping”, typically) is built into every current operating system. Windows Explorer understands ZIP files, and Mac and Linux both come with the “zip” and “unzip” command line tools.

Given that ubiquity, it’s very safe for a software vendor – or anyone for that matter – to assume that if they make something available as a ZIP file, it will be understood by the recipient.

ZIP as obfuscation

Knowing you have a ZIP file doesn’t really tell you what you have. You have to look inside the file to understand what files have been zipped inside. As a result, ZIP files are often used to hide or at least obscure their contents.

Here’s an example: many email systems will not allow attachments of files that end in “.exe”. In Windows, .exe files are programs. When you double click on a .exe file, that’s the instruction to Windows to run whatever program that .exe file happens to be. Since malware is also often distributed as a program file, email providers simply prevent all programs from being emailed in this fashion. The risk of someone opening the attachment to see what it is, and inadvertently running the malicious program it turns out to be, is simply too high.

ZIP files, however, are not blocked. As I said, ZIP files are significantly useful for many, many things, not the least of which is transferring collections of documents from one person to another, by email.

So one approach to sending a .exe file from one person to another via email is to zip it first, email the resulting .zip file, and then have the recipient unzip on their end.

Hackers and phisher’s love that.

ZIP as phishing bait

You get an email from your bank.

The email says there’s an issue with your account, and to please open the attached file for more information.

The attached file is a ZIP file.

Chances are, to quote the over-quoted Admiral Ackbar: It’s a trap!

Whomever sent you that email probably used the ZIP file format to bypass anti-malware scans and other restrictions to deliver you a malicious package. If you open the zip file, you’ll probably find what appears to be a document. Double click on that document and you could instead be running a program that delivers malware to your machine.

I recommend you not do that. 🙂

When to trust ZIP files

Banks, governments, delivery services, the postal service and almost all other companies should simply never send you a ZIP file. Either the information they want to get to you will be in the body of the mail, or they’ll direct you to log in to your account with their service directly (ideally without clicking on a link), where you’ll find the important information.

Naturally there are exceptions. If you purchase a software download, I’ve seen it delivered via email as a ZIP file, though more commonly it’s a direct download from the website on which you purchased it.

But ultimately if you receive unexpected email, particularly from some kind of “official looking” source, and it has a ZIP file attached, be very, very wary. I would even go so far as to say never open unexpected ZIP files until or unless you can absolutely confirm that they are legit by some other means.

ZIP files are exceptionally useful, but because spammers and scammers have taken to using them to trick you into installing malware, it’s worth always being sure of exactly where they come from.