Cybercriminals targeting Zoom, Google and Teams domains

The increased video conferencing activity due to COVID-19 has given cybercriminals the opportunity to use typosquatting and URL hijacking by imitating many of the top conferencing platforms.

Popular video conferencing
applications such as Zoom, Teams and Google are seeing their names used by
malicious actors to create newly registered fake domains with Zoom seemingly
being singled out at this time. Since January 1 the security firm has seen about
1,700 new domains registered using the word “zoom” in some fashion with 25
percent of these new registrations happing in the last seven days.

Cyber gangs have also noted and
are taking advantage of the increase in online learning with K-12 and
universities opting to continue teaching remotely. This has resulted in domains
using Google Classroom in some manner being created replacing
googleclassroom.com with googloclassroom.com and googieclassroom.com.

Omer Dembinskey, Check Point’s manager
of threat intelligence said the fake domains fall in to three categories. Those
known to be malicious those that at least for the moment, benign and URLs that are
legitimate and just happen to have the word “zoom” in their name.

The malicious domains can be used
for any number of attacks. Two specific variety’s sees so far by Check Point are
fake Google Classroom, Microsoft Teams URLs and some of those using zoom were
being used to spread the InstallCore PUA.

Dembinskey also believes many of the names are simply being registered by opportunistic people who intend to later sell them to the highest bidder. Although at this time it cannot be said for certain whether these would then be used for nefarious purposes.

Morten Brøgger, CEO of the online
video collaboration site Wire, said his app has not suffered any URL hijacking
or typosquatting attacks due to the built-in precautions he feels secures the
site. Those that have been victimized left themselves open to attack by either
using an unsecured or unproven platform or are operating on an unsecure network.
The last item is particularly true of those who have recently found themselves a
work from home employee.

“Wire’s platform only allows users to receive messages from people that they have added to their in-app network (and each user is given key fingerprints as a method of authentication). In fact, all video conferencing, audio calls and messages are done entirely on the Wire platform without the use of links or email invites, which prevents unknown users from joining and disrupting meetings,” he said adding, “Therefore, users that receive random email messages inviting them to a Wire call can immediately identify them as a phishing scam.”