Cybercriminals Spread Malware through Zoom Fake Domains

As more people start working from home in response to the coronavirus pandemic, Zoom’s video conferencing service is becoming increasingly popular. Cybercriminals decided to take advantage of this situation, and now they distribute malware through the fake Zoom domains.

Fraudsters register fake “Zoom” domains and create homonymous malicious executable files in an attempt to make people download malware onto their devices.

“Since the start of the pandemic, have been registered more than 1,700 fake Zoom domains, 25% of which have been registered in the last seven days only”, – said specialists from Check Point.

The experts found malicious files called “zoom-us-zoom _ ##########. Exe” that installs potentially unwanted programs at startup, such as InstallCore, a batch application that installs other types of malware.

However, cybercriminals take advantage of the panic associated with the pandemic with all means, for example, Maze operators attacked medical company, which is testing vaccine for COVID-19.

Zoom developers have also distinguished themselves by a careless attitude towards user privacy. Earlier it became known that the iOS version of Zoom sent the analytical data about users to Facebook.

Specialists of the Motherboard publication analyzed the iOS version of Zoom and found something strange – the application sent analytic data about users to Facebook, even if they were not registered on the social network.

Moreover, the exchange of data took place without notification of Zoom users.

As the analysis of the application showed, after installing and opening on the device, it connected to the Facebook Graph API, the software interface most often used by developers to send and receive data from Facebook. The application notified Facebook of each Zoom opening, and also reported the device model, time zone and city from which the connection was made, the name of the service provider and the unique advertising identifier generated by the mobile device used by companies for targeted advertising.

“Zoom takes the privacy of its users very seriously. We implemented the authorization function via Facebook using the Facebook SDK in order to provide users with another convenient way to access the platform. However, we recently learned that the Facebook SDK collects optional data about the device. The data collected by the Facebook SDK does not include user’s personal information, but device data, such as type and version of the mobile OS, time zone, device model and carrier, screen size, processor core and disk space”, — Zoom representatives said in a commentary to the publication in Motherboard.

The developers promised to remove the Facebook SDK and reconfigure the function so that users can continue to log in to Zoom through Facebook. Users will need to install the new version of the application on their own.

Recall that last summer, Vulnerability in the video conferencing platform Zoom endangered more than 4 million Mac owners. At the same time, the developers of the video platform were in no hurry to fix bugs, until users pressed them through the media and social networks.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Ragnar Locker and Virtual Machines

Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.