The IT Nerd

Since the start of the pandemic, Zoom has exploded in popularity as a means to communicate. But threat actors are latching onto that to advance their goals. Take this email for example:

It looks well crafted and seems like something that could come from Zoom. But look closer and you’ll see that it isn’t from Zoom. Starting with this:

This isn’t a Zoom email address as Zoom uses zoom.us as their domain. So right out of the gate, this is a red flag. Now I will say that unlike most phishing scams that I come across, the English in this email is decent. I guess threat actors are finally learning that their English needs to be on point if they have any hope of scamming someone. But what hasn’t changed is a call to action to get you to do what they want. Specifically this:

Please take note that your account will continue to be inactive until you install the security app. We’re sorry for any inconvenience this may cause.

If you think that you can’t use Zoom until you install this “Security App”, then you’re more likely to click on “Install Security App”. Which by the way you should not click on that. But because I am a trained professional, I did. And here’s what I got:

Now I have to admit that the threat actors spent a lot of time and effort making this look just like something that Zoom would do. But a closer look shows that this isn’t a Zoom web page:

Again, Zoom’s domain for web and email is Zoom.us. Thus this is another red flag. And to reinforce the fact that they want you to do what the threat actors want, there’s this:

This makes me think that this scam is aimed at companies who use Zoom rather than individuals as those are all features that companies use. Also, you’ll notice that the quality of the English falls apart here.

I’m pretty sure that if you click download, you’ll get some malware. Let’s find out by taking a Windows 11 virtual machine and trying to install it just for giggles. I recorded the install process for you to view.

Now I did compare this to the real Zoom installer and the install process is identical. The only thing that jumps out at me is the version number, which is version 5.13.5 (12053). The latest version that I am aware of for Windows is 5.13.10 (13305) which makes this slightly older. I also noted that Microsoft Defender didn’t stop this. I also ran this by VirusTotal and it didn’t flag this as suspicious either. That implies that this is a novel attack of some sort which makes this extremely dangerous. I am going to investigate this further and I will update you with my findings. But in the meantime, I have reached out to Zoom and submitted all of this information so that they can put an end to this. But until they do, I would not only watch out for this threat if it hits your inbox, I would send this out far and wide to make sure nobody gets hit with this as clearly this threat is dangerous.

UPDATE: You can read my analysis of this threat here.

This entry was posted on February 28, 2023 at 1:50 pm and is filed under Commentary with tags Zoom. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.