Threat Advisory: Phishing Campaigns Using the Zoom Video Conferencing Platform
April 2, 2020
With the global situation around COVID-19 shifting organizations to remote work, the number of users utilizing audio/video conferencing tools has greatly increased.
Given this increase in usage, Zoom, a popular video conferencing platform, is being targeted to execute conference hijacking attacks and is being utilized as an infection vector for malware. Additionally, there has also been a large increase in domain registrations in March 2020 with the name "Zoom" that attackers are using as bait in phishing emails.
The malicious attachments used in these campaigns follow the "zoom-us-zoom_##########.exe" naming scheme. The attachments launch an installer that will attempt to install potentially unwanted apps and/or malicious payloads.
Although Zoom has released a patch in January for a vulnerability that made it possible for attackers to find and join unprotected meetings, Herjavec Group is recommending the following additional best practices as security measures for organizations relying on Zoom:
- Enable the required H.323 and SIP encryption. Zoom is equipped with a setting in its control panel that requires all endpoints to use encryption once enabled.
- If this setting is not enabled, Zoom's default settings 'prefer' encryption, but don't require it for audio.
- Check to make sure it's a legitimate Zoom site, there are a lot of scams/skins that are impersonators,
- Make sure you're accepting a real Zoom invite and not clicking on a phishing email by hovering over links,
- Change the default privacy settings to “Host Only” so that you control the meeting,
- Do not share your Zoom info on social media,
- Use the password option on all Zoom meetings to protect any corporate or sensitive information
- If possible, consider using a platform that leverages corporate accounts and uses multi-factor authentication (MFA), which utilizes a more secure design overall and is governed by the corporate Active Directory.
Herjavec Group recently published a Threat Advisory on how organizations can mitigate cyber attacks that leverage the Coronavirus pandemic, a summary of IOCs relating to known malware families, and domains specific to COVID-19. You can review it here.
For more information on how Herjavec Group can help your organization with an emergency preparedness plan, or secure remote access solutions, please connect with us.