Working from home? Hackers can drop malware with fake Zoom apps

There has been a drastic rise in phishing attempts against Zoom and now, hackers are using different techniques…
Working from home? Hackers can drop malware with fake Zoom apps

Due to the coronavirus or COVID-19 outbreak, institutions, corporations, and even government offices globally have all shut down physically and depending on running things remotely. To do so, people are looking towards video communication platforms in order to seamlessly hold meetings, give lectures for a class of students and to collaborate on anything else possible.

However, with this, comes an opportunity for the bad guys to exploit video communication tools and according to the recent revelation by the IT security researchers at Checkpoint, hackers have been doing at full speed.

Presenting their findings in a blog post by the research firm today, various techniques from hackers have been observed which were and some still are being used to attack unsuspecting users of video conferencing tools especially Zoom.

Firstly, it was discovered that someone unauthorized could join a Zoom meeting in case the meeting organizer had disabled the option of a custom password required to join it.

If such was the case, only a 9-11 digit meeting ID was required. These IDs were capable of being automatically generated with the program telling you which one of these were valid and which were invalid letting one make use of the former.

See: Vulnerability expose Barco wireless presentation system to remote attacks

How they made the program do this is by using a “div element present in the HTML Body of the returned response, when accessing the “Join Meeting” URL ({MEETING_ID}).” Hence, as the researchers state,

We were able to predict ~4% of randomly generated Meeting IDs, which is a very high chance of success, comparing to the pure brute force.

Currently, this vulnerability has been patched due to timely disclosure by Checkpoint to the company. Some measures that have been implemented include:

1 – A lockout period after repeated failed attempts to join a meeting in order to guard against brute-forcing.

2 – No result will be shown indicating if a meeting ID is valid or not automatically, “for each attempt, the page will load and attempt to join the meeting.”

3- Passwords have been made compulsory for all “future scheduled meetings” with an option to add them for existing ones

Secondly, there has been a drastic rise in phishing attempts against Zoom and now, hackers are using different techniques to carry out malware attacks against Zoom users.

Since the start of 2020, it has been reported that 1700+ Zoom related domains have been registered in an attempt to engage in typosquatting with 425 or 25% of them registered in the last week alone. Typosquatting or more commonly known as a URL hijacking attack in which fraudsters create fake domain names that are a spoofed version of the actual/original that’s being replicated.

For instance, last year in June, hackers stole more than $28 million in crypto using Google Adwords and spoofed domains. As for the ongoing attack, researchers have also identified other domains being registered and imitating various platforms such as Google Classroom.

Examples of these include “googloclassroom\.com and googieclassroom\.com” impersonating the real “” webpage.

Further, malicious executables have also been found operating as trojan horses. Examples include files named “zoom-us-zoom_##########.exe” and “Microsoft-teams_V#mu#D_##########.exe” (# representing various digits)” as detailed by the researchers.

Once the user proceeds with the installation, they are in actuality paving the way for malware named InstallCore on their machines.

An example of the malicious executable during the installation process.

To conclude, remaining safe from these measures is very easy provided that one observes some basic guidelines. These revolve around double-checking the domain name you enter into your browser bar, never downloading any file from an untrusted source – always go with the official website and consulting someone more knowledgeable when in doubt about a security issue.

If you are working from home and using a video conferencing tool, you need to keep an eye on malicious files disguising as original ones. Earlier we saw fake Coronavirus tracker app infecting devices with CovidLoack ransomware while a fake website was also found dropping malware disguising as WiseCleaner software.

Protect yourself from Coronavirus offline and from crooks online.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts