skout-blog

Cybersecurity Threat Advisory 0023-20: Cyber Criminals Target Zoom Domains

Advisory Overview

With the vast increase in the number of employees working remotely due to COVID-19, malicious actors are attempting to exploit uninformed users with fraudulent sites and applications. The nature of these attempts varies, but overwhelmingly rely on a user navigating to malicious sites and downloading malicious email attachments by masquerading as their legitimate counterparts. This can cause a number of security issues ranging from theft of work or private account information to the installation of malicious files.

Technical detail and additional information

What is the threat?

There has been a drastic (almost 200%) increase in daily registrations of new “Zoom” domains in the weeks following the almost unilateral enforcement of work-from-home policies. Of these newly registered domains, upwards of 4% have been identified as containing suspicious characteristics. Malicious actors are using some of these newly registered and fraudulent sites to distribute malicious files such as “InstallCore”, a popular potentially unwanted program (PUP) that is used to gather and distribute information for use in advertising and analytics for monetization purposes at the expense of the user. In addition to the installation of PUPs and other malicious software, some of these domains have also been identified as a possible phishing risk.

Why is this noteworthy?

With the usage of Zoom and other related applications such as Google Classroom skyrocketing in the recent weeks, many users are being directed to download remote work applications in order to work from home. Malicious actors are using this opportunity to prey on uninformed, inexperienced or lax users who may not be able to discerning a malicious website or application from a legitimate one. Users who visit these malicious sites or download these malicious files may be prompted to install malware or PUPs with names such as “zoom-us-zoom_##########.exe” that are masquerading as legitimate. At first glance these executables may appear legitimate, but they have been deliberately crafted to impersonate Zoom and other applications and to trick users into compromising their devices.

What is the exposure or risk?

The exact risk for a user visiting one of these sites or downloading a malicious application varies due to the differing nature of these threats. If a user were to visit a phishing website, they may be prompted for login information to their work or personal emails. If this information is given, those accounts would be compromised and possibly used for any number of other phishing attempts or simply the theft of information within the account. If a user downloads a PUP from one of these sites, they may see an impact on their device’s performance, as well as potentially redirecting the user to dangerous sites and facilitating the installation of other (and perhaps more malicious) malware.

What are the recommendations?

Given that the majority of these compromises are caused by phishing or other kinds of deliberate malicious impersonation, SKOUT recommends the following to stay safe while working from home:

  • Err on the side of caution with emails or other files from unfamiliar or unverified senders. If a sender appears legitimate or is someone you may know, attempt to reach out to them through a different means of communication such as by phone.
  • If you are going to view emails from said senders, do not open or download any attachments from these emails unless they have been explicitly identified as verified.
  • Remain vigilant for domain impersonation; this may take the form of spelling errors (in both emails and websites), outdated branding, and falsified email addresses.
  • Ensure you are not purchasing software from a non-verified sender by independently searching for the application on Google instead of following a potentially fraudulent email link.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.