Think twice before downloading Zoom online: Multiple fake sites are popping up claiming to offer free downloads of the popular video conferencing software, only to trick people into downloading malware instead.
Cybersecurity experts are ringing the warning bell on these fraudulent Zoom websites, all of which use the same malicious software, called “Vidar Stealer.”
Vidar Stealer is designed to steal information off the devices it's downloaded to, giving bad actors a backdoor into accessing anything from bank account logins to passwords or crypto-wallets. Here's what we know.
Fake Zoom Websites Look Like the Real Deal
The report is out from the cybersecurity firm Cyble's Research and Intelligence Lab (CRIL).
A tweet from an internet fraud watchdog listed the URLs of six different but similar malicious websites, and it's what first kicked off the CRIL investigation. This might go without saying, but please don't visit those URLs:
Malware @Zoom downloads 🤖
PDRhttps://t.co/7NJ4fEJ9Su@ULTRAFRAUD @malwrhunterteam @JAMESWT_MHT @illegalFawn @nullcookies @AlvieriD @BumbledBubble @ActorExpose pic.twitter.com/JYq2UJEMQ7
— idclickthat (@idclickthat) September 12, 2022
The fake websites are designed to replicate the Zoom software's home page, complete with the same designs, colors, and friendly orange “Sign up, it's free” button to encourage new users. And since the official Zoom URL — https://zoom.us — uses a “.us” domain rather than the more common “.com,” it's already slightly unusual, meaning that the fake URLs don't stand out quite as much.
Any users who stumble on one of these fake websites while trying to download Zoom won't see anything out of place if they don't look too closely at the URL. But one click later, it'll be too late.
Victims Will Still Download Zoom — But They'll Also Get Malware
Once executed, researchers found, two files are downloaded: ZOOMIN~1.EXE and Decoder.exe.
“Decoder.exe is a malicious .NET binary that injects the malicious stealer code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications. ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.”
In other words, the victims won't realize they've been tricked, because they'll actually still get the software they wanted. Meanwhile, the malware will go undetected, siphoning off personal data.
How to Stay Safe Online
Luckily, staying safe from this scam is relatively easy: Don't download Zoom unless you're positive it's from the official website. Or as CRIL puts it, identify “the legitimacy of the source before downloading any executables.”
Still, these tricks are surprisingly easy to fall for, and ironically the people most at risk for getting tricked are the ones who are the most confident that they're safe.
If you're a business manager trying to shore up security across all company devices used by your remote or hybrid workforce, we'd recommend a good remote access software, which may include features that limit downloads.
Antivirus software is great as well, and a password management tool can keep sensitive company logins secure even a device is compromised. Just make sure you double check which URL you're downloading them from — malware disguised as downloadable security tools is another common hacker scam.