COVID-19: Hackers Begin Exploiting Zoom’s Overnight Success to Spread Malware

Mar 30, 2020

As people increasingly work from home and online communication
platforms such as Zoom explode in popularity in the wake of
coronavirus outbreak, cybercriminals are taking advantage of the
spike in usage by registering new fake “Zoom” domains and malicious
“Zoom” executable files in an attempt to trick people into
downloading malware on their devices.

According to a report published by Check Point and shared with
The Hacker News, over 1,700 new “Zoom” domains have been registered
since the onset of the pandemic, with 25 percent of the domains
registered in the past seven days alone.

“We see a sharp rise in the number of ‘Zoom’ domains being
registered, especially in the last week,” said Omer Dembinsky,
Manager of Cyber Research at Check Point.

“The recent, staggering increase means that hackers have taken
notice of the work-from-home paradigm shift that COVID-19 has
forced, and they see it as an opportunity to deceive, lure, and
exploit. Each time you get a Zoom link or document messaged or
forwarded to you, I’d take an extra look to make sure it’s not a
trap.”

With over 74,000 customers and 13 million monthly active users,
Zoom is one of the most popular cloud-based enterprise
communication platforms that offers chat, video and audio
conferencing, and options to host webinars and virtual meetings
online.

The popularity of Zoom has shot up significantly in recent weeks
as millions of students, business people, and even government
employees across the world are forced to work and socialize from
home during coronavirus pandemic.

The report comes following a significant increase in the number of
malicious
coronavirus-related domains, with bad actors finding new ways to profit
off the global health concern to stage a variety of malware
attacks, phishing campaigns, and create scam sites and
malicious tracker apps.

What’s more, the researchers said they detected malicious files
with the name “zoom-us-zoom_##########.exe,” which when executed,
installed potentially unwanted programs (PUPs) such as InstallCore ^[4], a dodgy bundleware
application that’s known to install other kinds of malware.

But Zoom is not the only app to be targeted by cybercriminals.
With schools turning to online learning platforms to keep students
occupied, Check Point researchers said they also discovered
phishing sites masquerading as the legitimate Google
Classroom ^[5] (e.g.,
googloclassroom\.com and googieclassroom\.com) website to trick
unwitting users into downloading malware.

Zoom Fixes Privacy Issue in Its iOS App

Zoom, for its part, has had its share of privacy and security
issues too. Last year, the video conferencing app fixed a
vulnerability that could let websites hijack users’ webcam and
“forcibly” join them to a Zoom call without their permission.
Then earlier this January, the company squashed another bug that
could have allowed attackers to guess
a meeting ID and join an unprotected meeting, potentially
exposing private audio, video, and documents shared throughout the
session. Following the disclosure, Zoom introduced default
passwords for each meeting that participants need to enter when
joining by manually entering the meeting ID.

And finally, just over the weekend, Zoom updated its iOS
app ^[8] after it was caught
sending device information and a unique advertiser
identifier ^[9] to Facebook using the
social network’s software development kit (SDKs) and concerns were
raised over its failure to disclose data sharing in its privacy
policy.

Highlighting some of the privacy risks associated with using
Zoom’s products, The Electronic
Frontier Foundation ^[10] (EFF) said hosts of
Zoom calls can see if participants have the Zoom video window
active or not to track if they are paying attention. Administrators
can also see the IP address, location data, and device information
of each participant.

To safeguard
yourself ^[11] from such threats, it’s
essential that the apps are kept up-to-date, and be on the lookout
for emails from unknown senders and lookalike domains that contain
spelling errors.

Besides this, also don’t open unknown attachments or click on
links in the emails, the cure for Corona will not arrive via email
and also ensure ordering goods from an authentic source only.

^[1]^[2]^[3]^[6]^[7]

References

^{^}
malicious coronavirus-related
domains (thehackernews.com)
^{^}
new ways to profit off
(thehackernews.com)
^{^}
malware attacks
(thehackernews.com)
^{^}
InstallCore
(blog.malwarebytes.com)
^{^}
Google Classroom
(edu.google.com)
^{^}
fixed a vulnerability
(thehackernews.com)
^{^}
attackers to guess a meeting ID
(thehackernews.com)
^{^}
updated its iOS app
(blog.zoom.us)
^{^}
advertiser identifier
(www.vice.com)
^{^}
Electronic Frontier Foundation
(www.eff.org)
^{^}
safeguard yourself
(blog.checkpoint.com)

The Hacker News Headlines

Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions

Aug 18, 2023

The Hacker News Headlines

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

Aug 18, 2023

The Hacker News Headlines

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

Aug 18, 2023

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

COVID-19: Hackers Begin Exploiting Zoom’s Overnight Success to Spread Malware

Zoom Fixes Privacy Issue in Its iOS App

References

Related Post

Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions

New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode

China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

You missed

Protected: Rotary VI EAST

Protected: BetterCyberCareer Group

Protected: Benin Club 1931 – Official

Protected: Whatsapp AI Automation Group