The increased video conferencing activity due to COVID-19 has given cybercriminals the opportunity to use typosquatting and URL hijacking by imitating many of the top conferencing platforms.
Popular video conferencing applications such as Zoom, Teams and Google are seeing their names used by malicious actors to create newly registered fake domains with Zoom seemingly being singled out at this time. Since January 1 the security firm has seen about 1,700 new domains registered using the word “zoom” in some fashion with 25 percent of these new registrations happing in the last seven days.
Cyber gangs have also noted and are taking advantage of the increase in online learning with K-12 and universities opting to continue teaching remotely. This has resulted in domains using Google Classroom in some manner being created replacing googleclassroom.com with googloclassroom.com and googieclassroom.com.
Omer Dembinskey, Check Point’s manager of threat intelligence said the fake domains fall in to three categories. Those known to be malicious those that at least for the moment, benign and URLs that are legitimate and just happen to have the word “zoom” in their name.
The malicious domains can be used for any number of attacks. Two specific variety’s sees so far by Check Point are fake Google Classroom, Microsoft Teams URLs and some of those using zoom were being used to spread the InstallCore PUA.
Dembinskey also believes many of the names are simply being registered by opportunistic people who intend to later sell them to the highest bidder. Although at this time it cannot be said for certain whether these would then be used for nefarious purposes.
Morten Brøgger, CEO of the online video collaboration site Wire, said his app has not suffered any URL hijacking or typosquatting attacks due to the built-in precautions he feels secures the site. Those that have been victimized left themselves open to attack by either using an unsecured or unproven platform or are operating on an unsecure network. The last item is particularly true of those who have recently found themselves a work from home employee.
“Wire’s platform only allows users to receive messages from people that they have added to their in-app network (and each user is given key fingerprints as a method of authentication). In fact, all video conferencing, audio calls and messages are done entirely on the Wire platform without the use of links or email invites, which prevents unknown users from joining and disrupting meetings,” he said adding, “Therefore, users that receive random email messages inviting them to a Wire call can immediately identify them as a phishing scam."