Think twice before downloading Zoom online: several fake sites are appearing claiming to offer free downloads of the popular video conferencing softwareonly to trick people into downloading malware instead.
Cybersecurity experts are sounding the alarm over these scam Zoom websites, all of which use the same malware, called “Vidar Stealer”.
Vidar Stealer is designed to steal information from the devices it is downloaded onto, giving bad actors a backdoor to access everything from bank account credentials to passwords or crypto wallets. Here’s what we know.
Fake Zoom websites look like the real deal
The report is published by cybersecurity firm Cyble’s Research and Intelligence Lab (CRIL).
A tweet from an internet fraud watchdog listed the URLs of six different but similar malicious websites, and this sparked the CRIL investigation. It goes without saying, but please don’t check out these URLs:
Malware @Zoom downloads 🤖
PDRhttps://t.co/7NJ4fEJ9Su@ULTRAFRAUD @malwhunterteam @JAMESWT_MHT @illegalFawn @nullcookies @AlvieriD @BumbledBubble @ActorExpose pic.twitter.com/JYq2UJEMQ7
— idclickthat (@idclickthat) September 12, 2022
The fake websites are designed to replicate the homepage of the Zoom software, with the same designs, colors and the user-friendly orange “Sign up, it’s free” button to encourage new users. And since Zoom’s official URL – https://zoom.us – uses a “.us” domain rather than the more common “.com”, that’s already a bit unusual, which means fake URLs won’t not stand out as much. .
Any user who comes across one of these fake websites while trying to download Zoom will not see anything wrong if they don’t look too closely at the URL. But one click later, it will be too late.
Victims will still download Zoom, but they will also receive malware
Once executed, the researchers discovered that two files are downloaded: ZOOMIN~1.EXE and Decoder.exe.
“Decoder.exe is a malicious .NET binary that injects malicious thief code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications. ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.
In other words, victims won’t realize that they have been tricked, because they will still get the software they wanted. During this time, the malware will go undetected, siphoning off personal data.
How to stay safe online
Luckily, it’s relatively easy to stay safe from this scam: don’t download Zoom unless you’re sure it’s from the official site. Or, as CRIL puts it, identify “source legitimacy before downloading executables.”
Still, it’s surprisingly easy to fall in love with these tricks, and ironically, the people most at risk of getting tricked are those most convinced they’re safe.
If you are a business owner trying to harden the security of all corporate devices used by your remote or hybrid workforce, we recommend a good remote access softwarewhich may include features that limit downloads.
anti-virus software is great too, and a the password Management tool can secure sensitive corporate connections even if a device is compromised. Just be sure to check which URL you are downloading them from – malware disguised as downloadable security tools is another common hacking scam.