Cybercriminals are feeding the false ‘Zoom is malware’ narrative
During March 2020 alone, it has been reported that daily traffic to the Zoom.us download page has increased by 535%. That’s quite a statistic, as is the fact that in the same month there were more than 200 million daily Zoom meeting participants. A less positive Zoom-related number from March has been dropped into my inbox though: according to threat research analysts at Webroot, malicious files with “zoom” in their name jumped by 2,000% from the previous month.
Zoom has come in for a lot of media attention since the COVIC-19 pandemic sparked a surge in working from home and a corresponding surge in usage of the video conferencing tool. Some of the most balanced and genuine reporting has been by my colleague and friend, Kate O’Flaherty, who has covered Zoom privacy and security issues in-depth. Unfortunately, there has also been a lot of reporting that has been genuinely misguided and some that are best described as almost hysterical. I have seen Zoom referred to as being malware on numerous occasions, for example. Here’s the thing, Zoom is not malware, but hackers are feeding that delusion by exploiting its popularity. And how. Between February and March, Webroot saw an increase above 2,000% when it comes to malicious files with zoom in the name.
No surprises as cybercriminals exploit popular trends, even during a pandemic
“It’s not surprising to see this trend,” Marcus Moreno, manager of threat research at Webroot, said, “As with any major current event, malicious actors observe this as a lure opportunity.” Indeed, Moreno went on to add that he expects “to see this trend continue not only for Zoom but also for any other platform or site that has seen an increase of traffic or use as a result of this pandemic.” Indeed, Webroot threat research analyst Connor Madsen has reported that “adware variants have been found spoofing Microsoft’s Teams video conferencing while performing malicious activities in the background,” for example.
None of which, sadly, should come as a shock to anyone. Despite promises made by cybercriminals to steer clear of healthcare and medical targets, there has been no such cyber-ceasefire. The FBI has warned of a significant spike in COVID-19 scams, a medical facility on standby to test COVID-19 vaccines has been hit by a cyber-attack and “elite hackers” are thought to be behind another attack on the World Health Organization.
COVID-19 cyber intelligence updates reveal thousands of ‘Zoom’ phishing domains
From the more extreme end of the cybercrime spectrum that these examples reflect, through to a malicious Zoom installer being bundled with a cryptocurrency miner, the dregs of society will always look to exploit a trend to their advantage. The total lack of any moral compass means that we end up where we are now, with thousands of people dying from this terrible virus and cybercriminals not only deciding it is business as usual but using the ongoing crisis to maximize their illicit profit.
Cyjax is a security company that has been publishing regular COVID-19 cyber situation intelligence update briefings as part of the CV19 cybersecurity volunteer response to help healthcare organizations. In the latest weekly brief, which I have had eyes upon, Cyjax warns “over 3,300 new domains with the word ‘Zoom’ in them have been registered since the start of the coronavirus pandemic.” Of those, some 2,000 of these have been identified as phishing domains.” Cyjax also describes how an automated Zoom meeting discovery tool, known as zWarDial, provides threat actors with “the ability to find non-password protected Zoom meetings.”
Ian Thornton-Trump, the CISO at Cyjax, says he is not surprised to see tons of phishing and domains set up to do everything from stealing credentials to landing malware via exploit kits. “Anytime a company hit’s the headlines, with good PR or bad, it’s a ripe opportunity for cybercriminals to set up campaigns,” Thornton-Trump says, “especially with recent stories trending globally about the security of Zoom and some ridiculous don’t use zoom decisions from the uninformed and the ignorant.”
Let’s say it again: Zoom is not malware
Zoom, for its part, has been listening to what the cybersecurity community has been saying and responding to the undoubted privacy and security challenges that such unprecedented, and high profile, growth brings with it. Recent announcements have added better meeting controls, removed meeting IDs from the title toolbar display and a stalling of feature development so that the focus can be fully put onto security.