Hackers are taking advantage of the Zoom’s popularity since the outbreak of COVID-19 by registering several new Zoom-themed domains for malicious purposes.
Videoconferencing software company Zoom provides a cloud-based communication platform to its users and it can be used for audio and video conferencing, online meetings, besides chat and collaboration via mobile, desktop, and telephone systems.
There has been a rapid increase in the number of Zoom users since the beginning of this year, as millions of people have opted to work from home. It is estimated that around 2.22 million new users have started using this service this year alone, while only 1.99 million were added last year in total. Zoom now has more than 12.9 million monthly active users.
New Zoom domains registered since 2020
According to Check Point Research, hundreds of domains have been registered with the name including ‘Zoom’. Since the beginning of the year, more than 1700 new domains were registered out of which 25% domains were registered in the last week alone. Out of these registered domains, 4% were of suspicious nature.
The researchers have also found malicious files using a zoom-us-zoom_##########.exe naming scheme which when executed, will launch an InstallCore installer that tried to install potentially unwanted third-party applications or malicious payloads.
InstallCore is considered as a potentially unwanted application (PUA) or potentially unwanted program (PUP) by various security solutions and it might disable User Access Control (UAC), add files to be launched on startup, install browser extensions, and mess with browsers’ configuration and settings.
It was also found that some Zoom users were infected with the Neshta file infecting backdoor virus which is a malware strain known for collecting information on currently installed apps, running programs, and SMTP email accounts and delivering to its operators.
Check Point stated that, the cyber criminals use well known names in a website to hide among other legitimate websites and trick the users by pretending to be the original website or a relating service and get the user’s personal details.
Malware infections usually occur through phishing emails with malicious links or files.
Zoom privacy and security issues
Zoom developers have patched a vulnerability in January that could have let a threat actor to potentially identify and join active and unprotected Zoom meetings.
Zoom also recently announced its decision to remove the Facebook SDK (Software Development Kit) from the Zoom iOS application after it was reported by Motherboard that it collected and sent device information to Facebook’s servers.
FBI Warns of Zoom attacks
FBI has warned about an ongoing attack in which the attackers join Zoom video conferences for online lessons and business meetings with the goal of disrupting them or for pranks that could be later shared on social media platforms.
FBI received several reports of conferences being disrupted by pornographic and/or hate images and threatening language. With more people using the video-teleconferencing platforms (VTC), reports of VTC hijacking (also called ‘Zoom-bombing’) are increasing nationwide.
To prevent video conference hijacking
Some of the measures suggested by FBI to prevent future hijacking attempts include
Zoom-bombing victims are advised to report such incidents through the FBI’s Internet Crime Complaint Center and any direct threats during a video conference hijacking incident at https://tips.fbi.gov/.
- Do not make meetings or classrooms public.
- Do not share Zoom conference links on public social media.
- Manage screen-sharing options to ‘Host Only.’
- Ensure users keep their Zoom clients up to date.
- Ensure that your organization’s telework policy addresses requirements for physical and information security.