Zoom has proven to be hugely popular during the COVID-19 pandemic. The teleconferencing platform has allowed businesses to keep in touch with their employees during lockdown and many consumers are using the platform to keep in touch with friends and family. The popularity of the platform has not been missed by cybercriminals who are now using a range of Zoom-themed lures to trick people into downloading malware.
Any software solution that has been widely adopted is an attractive target for cybercriminals. The large number of users of the platform mean there is a high likelihood of a Zoom phishing email reaching someone who has previously used the solution. In December, there were around 10 million Zoom users worldwide and by March 2020 that number had increased to more than 200 million.
According to research from Check Point, more than 2,449 domains have been registered in the past three weeks that contain the word Zoom, 320 (13%) of which were identified as suspicious and 32 (1.5%) were confirmed as malicious. Many of these domains are likely to be used in Zoom phishing scams.
The Zoom phishing emails mimic genuine notification messages from Zoom and contain hyperlinks that the user is asked to click. The lures mostly consist of fake meeting reminders and notifications about missed scheduled meetings. The hyperlinks used in the emails often include the word Zoom to make it appear that the user is being directed to a genuine Zoom website.
In April, a Zoom phishing campaign was identified that used fake meeting reminders to alert users that they are required to take part in a Zoom meeting with their HR department regarding the termination of their employment. The link supplied in the email directs the user to a spoofed Zoom website on an attacker-controlled domain where their credentials are harvested.
Another Zoom phishing campaign has been identified that uses the subject line “Zoom Account” with the emails welcoming the user to the Zoom platform. The emails include a link that the user is asked to click to login to activate their account. Doing so will result in Zoom credentials being stolen.
One of the most recent campaigns warns the recipient they have missed a meeting and must login to their account to obtain the recording. In this case, Zoom is spoofed but the attackers seek Microsoft credentials, which can be used to obtain a wealth of sensitive data. With those credentials the attackers can take full control of Office 365 email accounts, which are used to conduct further phishing attacks on the organization.
Zoom is not the only teleconferencing platform being spoofed to steal credentials and distribute malware. Campaigns have also been identified recently that spoof WebEx, Microsoft Teams, Google Meet, and other platforms.
Protecting against these Zoom phishing scams requires a combination of an advanced antispam solution such as SpamTitan and end user education to train employees how to recognize phishing emails.