Coronavirus: Warning over surge in Zoom security incidents

Cyber criminals are targeting users of popular video conferencing application Zoom as millions of office workers turn to collaboration tools to keep in touch with each other during the Covid-19 coronavirus pandemic.

Check Point’s threat research team said it has seen a steady rise in new Zoom domains, with 1,700 created since January, but this has ramped up in the past few days, with 425 new domains registered in the past seven days alone.

Out of these, 70 have now been identified as fake sites, which are impersonating genuine Zoom domains with the intention of capturing and stealing personal information. The numbers reinforce a trend for cyber criminals to take advantage of home working via Zoom, which is used by over 60% of the Fortune 500, and has been downloaded more than 50 million times from the Google Play app store.

“We have seen a sharp rise in the number of Zoom domains being registered, especially in the last week,” said Omer Dembinsky, manager of cyber research at Check Point.

“This increase means that hackers have taken notice of the work-from-home paradigm shift that Covid-19 has forced, and are seeing it as an opportunity to deceive, lure and exploit people.

“Each time you get a Zoom link or document messaged or forwarded to you, we recommend double-checking to make sure it’s not a trap.”

Check Point has made a number of recommendations to help people guard against Zoom phishing attempts.

Taking into account that 90% of cyber attacks start with a phishing campaign, much of this guidance boils down to adhering to basic security hygiene. This includes being cautious with emails and files from unknown senders, never opening unknown attachments or links claiming to be Zoom links in emails, keeping an eye out for spelling errors in URLs and emails that are usually a giveaway, and being suspicious of everything unexpected.

Toni Vitale, head of data protection at JMW Solicitors, said there were multiple other privacy concerns with Zoom, particularly related to default privacy settings.

For example, he said, meeting hosts can monitor the activities of attendees, alerting them if somebody navigates away from the Zoom video window, and other features that let administrators check in on their colleagues and access and view meetings that they were not present for, are open to abuse.

“There is even already a new phenomenon and a new buzzword has been coined to describe it – ‘zoombombing’,” said Vitale.

“If the zoom reference number is shared on social media and the host fails to set screen-sharing to ‘host only’, this can allow uninvited guests to screen-share pornography or other disturbing imagery. Meeting hosts should also disable ‘file transfer’ to prevent any malware being shared.

“Like any technology, Zoom can be a useful tool, but privacy and IT security should not be put to one side for the sake of ease of use.”

In January 2020, Check Point’s research and innovation manager, Alexander Chailytko, published details of an attack that – if the meeting host had failed to enable Zoom’s meeting password or waiting room screening options – could have allowed a threat actor to identify and join Zoom meetings by randomly generating nine, 10 or 11-digit Zoom meeting IDs.

Chailytko found it was possible to randomly predict Zoom meeting IDs correctly around 4% of the time.

As a result of this disclosure, Zoom has now added password by default to all future scheduled meetings; made password settings enforceable at the account level and group level by account admins; removed a feature that automatically indicates if a meeting ID is valid or invalid; and added a feature to block repeated attempts to scan for meeting IDs.