Over 1,700 ZOOM phishing web domains registered during last week

One of the main measures to limit the expansion of coronavirus/COVID-19 has been the so-called “social distancing”, so millions of people have resorted to the use of remote work tools, mention specialists from an information security organization.

One of the most commonly used tools for this is video conferencing platforms, whose popularity has increased markedly over the past few weeks. This situation has its downside, as cybercriminals have begun to take advantage of the growing interest in these services to register phishing domains.

A recent report by specialists from Check Point information security organization details a new technique employed by threat actors that could have granted them access to active Zoom sessions. 

In the report, specialists say that, over the past few days, it has significantly increased the registration of domains that include the term “ZOOM”, one of the most widely used video conferencing platforms worldwide.

Experts from an information security organization say that, since January 2020, almost 1800 new web domains have been registered, with more than 500 registered over the past week. According to the report, about 4% of these domains have suspicious characteristics. In addition to Zoom, threat actors have also been using other domains similar to popular online platforms, such as classroom.google.com.

Some of the sites identified as malicious contain a file that, when executed, leads to the installation of the InstallCore PUA iframe on the victim’s computer, in order to install additional malware.

Multiple private companies, government institutions and academics will need to operate remotely indefinitely, so some security measures need to be implemented on the use of remote work platforms. The International Institute of Cyber Security (IICS) then presents some basic recommendations to ensure work during the period to be used in the home office.

  • Beware of emails and attachments sent by unknown users
  • Do not open any attached files or links contained in a suspicious email
  • Try to identify domains with names similar to legitimate ones. Threat actors often use spelling errors to register malicious domains

The contingency will continue indefinitely, so users are advised to adhere to these recommendations.