[1023bytes]

WELLSFARGO ALERT: Suspicious activity detected in your account! Please see the attachment for more information [https://wellsfargo.zip]

[jrockway]

I'm guessing your hitrate is just as high if the URL is http://youareabouttogethacked.geocitiesorsomething.com/?shad....

As many other people have said, does anyone confuse C:\command.com and http://command.com? I doubt it.

[jacobsenscott]

How is this any different than 'There's an urgent update to your tax information. Download your documents from here: <a href="https://welsfargo.tax">https://wellsfargo.zip</a>'

Looks like it will take you to a zip file, but won't. hovering over the link looks legit enough. I just don't think it buys you that much. /shrug

[Izkata]

> hovering over the link looks legit enough

You get a pretty different result if it's just "http" and not "https" though: The zip domain looks like just the file name instead of a URL.

[eli]

So this is bad because .zip sounds vaguely like something related to attachments?

I dunno that doesn't sound much worse than wellsfargo.info to me.

[SpaghettiCthulu]

Because technologically illiterate users will think it's a filename

[eli]

I'm having a hard time imagining users who would be fooled by https://wellsfargo.zip but not fooled by https://wellsfargo.inc

[organsnyder]

Isn't that true of every generic-looking TLD?

[grumbel]

With Chrome hiding the 'https://' a bankinfo.zip URL ends up looking a lot like a file or a attachment. So it could be used to trick people into assuming the file comes from a trusted domain instead of a third party one, as the user just see a filename without a domain part, not realizing what looks like a filename is the domain and they are no longer on their previous trusted site.

This is especially problematic as the 'https://' hiding also happens in the URL preview when you hover over a link (Edit: seems to happen only for longer URLs).