The surging popularity of Zoom video conferencing during the COVID-19 epidemic is compelling internet registrars to make available scores of Zoom-related domains, some of which are being scooped up by malicious actors, researchers from ZeroFox and its Alpha Team reported today.
According to a company blog post, Alpha Team members know of roughly 5,343 Zoom-related domains that were newly registered by various parties. in March 2020. Then from April 1 - 4, an additional 10,000 Zoom domains were registered in just a four-day span.
ZeroFox sampled 1,700 of the new domains and found that four percent of them contained suspicious characteristics or malware. Despite the low percentage, the researchers believe a larger share may turn malicious in the future. None of the studied domains was owned by Zoom itself.
"This is the same problem that COVID-19/coronavirus themed domains posed upon the community: registrars use news and search interest keywords to preregister domains as a user experience," said Zack Allen, director of threat operations," in an interview with SC Media. "Arguably, these parked and pre-registered domains do more harm than good, mostly because they contribute to the 'fog of war' of coronavirus and misinformation."
Site visitors who wind up on malicious Zoom-themed domains can be tricked into downloading cryptocurrency miners, remote access trojans, and adware bundles, the report warns. One domain found by Zoom was found to deliver InstallCore, a potentially unwanted program that can "drop secondary payloads, disable User Access Control (UAC), add files to be launched on startup, install browser extensions, and alter browsers’ configuration and settings," ZeroFOX states.
Alpha Team even found entire websites that specifically dedicated toward sharing and selling Zoom IDs. One such website advertises what is essentially Zoom-spamming service called ClassCode. The website encourages students to share their school classroom Zoom codes or use already shared codes to randomly join an e-learning session. "It's all about just having fun!" the website states.
Noting that Zoom session hijackings remains a threat, ZeroFOX reported that Alpha Team found roughly 16,200 websites at risk of a "Zoom bombing" attack because they contain a public invite link for Zoom meetings. Educational institutions (both higher learning and K-12) were significant offerers. "Attackers can use these URLs to directly connect to meetings, and if insecure, they can interact in the chat, display video or share their screen," the report states.
ZeroFOX said some dark web forums have actually banned the discussion of Zoom bombing in order to avoid drawing unwanted attention. For that reason, cybercriminals has shifted the discussion to chat app Discord, the report explains.
Additionally, Alpha Team reported that cybercriminals have been observed selling compromised Zoom account credentials that were likely discovered via credential stuffing attacks. ZeroFOX found more than 4,000 cracked accounts on one hacker forum, and information on roughly 3,600 more Zoom accounts across various dark web forums, with some offering such information as usernames, passwords, and meeting IDs and passwords.
"Across these accounts, 413 unique domains were identified across 39 industries," said ZeroFOX. The vast majority of these email domains correspond to the education industry. The telecom and financial sectors were the next most affected.
Just this week, BleepingComputer reported -- citing details gleaned from cyber intelligence firm Cyble -- that more than 500,000 Zoom accounts are currently being sold on the dark web and cybercriminal forums for less than a penny, or even just given away for free. The rightful owners of these accounts reportedly include financial companies such as Chase and Citibank, as well as educational institutions including the University of Vermont, the University of Colorado, Dartmouth, Lafayette and the University of Florida.