The latest fake Zoom meeting scam silently pushes surveillance software onto the Windows computers of unwitting employees.
That’s according to researchers at Malwarebytes, who warn that staff falling for the scam land in a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer, without asking permission.
The software installed is a covert build of Teramind, a commercial monitoring tool companies use to record what employees do on work computers. Many anti-malware solutions may not catch this because it would look like a legitimate application. But in the hands of a threat actor it’s gold: It logs keystrokes, takes screenshots at regular intervals, records which websites were visited and which applications were opened, captures clipboard contents and tracks email and file activity.
Zoom has long been a service that threat actors try to use to their advantage, because employees are used to getting invitations to join a meeting from colleagues, managers, and customers.
Fake Zoom meeting scams usually start with phishing emails or text messages, so the first defense CSOs need to deploy is employee security awareness training.
“Taking five seconds to confirm a meeting link really leads to zoom.us [instead of an impostor link] is a simple habit that can prevent a serious problem,” Malwarebytes advises. The fake website that victims are sent to in this campaign is uswebzoomus[.]com/zoom/
Roger Grimes, CISO advisor at awareness training provider KnowBe4, said he’s seen many malicious Zoom calls start with meeting invites in both Gmail and Microsoft Outlook. In fact, earlier this month he got one that was automatically added to his online calendar. Like most phishing lures, the calendar notice had a hard-to-miss subject line: “Final Notice: Payroll Acknowledgement Action Required: Meeting with …”
One of the key indicators of a possible phishing lure is a subject line that demands fast action so, hopefully, the target doesn’t think before clicking. Another tip this was likely a fake: It arrived on a Sunday afternoon.
Employees must be educated to not trust unexpected calendar invites or Zoom meetings, especially when they include unknown names and email addresses, he said.
“The way to avoid 99% of scams is to be super skeptical of any unexpected incoming message asking you to do something you’ve never done before (for example, install new software while attending a meeting),” he said. “If you get a message or an invitation including those two traits (they’re unexpected and asking you to do something you’ve never done before), research it using a trusted source outside the message before performing the requested actions.”
David Shipley, CEO of awareness training provider Beauceron Security, agreed employee training about fake Zoom invites is essential.
“Our research has shown that the two top reasons people click on a phishing link are that it looked legitimate and they were expecting something similar,” he said. “Thanks to AI, phishes look better than ever and can be more precisely targeted.”
The key when teaching people isn’t just offering the traditional advice around checking the sender, subject line, or link, he added; 40% of people don’t even think before they click.
“The key is teaching people to slow down with e-mail (or any communication tool the outside world can send messages to) and to always ask the following questions: ‘Do I know who is sending me this? Am I expecting it from this person? Does it feel off?’”
The second teaching point, he said, is to remind staff to report if, after clicking on a Zoom email invite, it does something new, like installing software.
Warnings about fake Zoom invites are widespread, coming from many sources, from a security vendor to the Pennsylvania Association of Realtors. Last October the association warned that so-called potential buyers are targeting agents with listings on the Multiple Listing Service (MLS), Realtor.com, and Zillow, showing interest in a property. Before submitting an offer, the potential client insists on having a Zoom meeting to discuss the property with the agent. The scammer sends a Zoom link, but when an agent clicks on it, malware is installed on their computer or phone.
Similarly, last summer the University at Buffalo warned students and staff that hackers were sending fake “Zoom invitation” links to UBmail accounts, with the goal of installing malware.
And Zoom itself has blogged on how to avoid being stung by job offer scams.
Related content: 7 ways to make Zoom meetings safer
How it plays out
Malwarebytes didn’t explain how the specific campaign it reports on in the blog is initiated. But if a victim accepts a meeting invite and goes to the fake site, they arrive in what looks like a Zoom waiting room. At the same time, the site quietly sends a message to the attackers letting them know someone has entered.
Three scripted fake participants—“Matthew Karlsson,” “James Whitmore,” and “Sarah Chen”—appear to join the call one by one, each announced by a genuine-sounding Zoom join chime. But their conversation audio loops on repeat in the background. Nothing else happens unless the victim tries to interact. Then a permanent “Network Issue” warning is displayed over the main video tile, seemingly to explain the choppy audio and lagging video. When an “Update Available” prompt appears moments later, Malwarebytes says, it feels like a fix for the problem.
At that point there is one chance to stop the attack: The victim has to click on the download for the installation to proceed. Many employees would, for it feels like the natural thing to do, says Stefan Dasic, Malwarebytes manager of research and response. That’s why it’s important that employees be trained to never update Zoom from a link in a message. Updates should only come from the Zoom update within the application.
If the victim clicks on the download, a pop-up with no close button takes over, saying: “Update Available — A new version is available for download.” A spinner turns and a counter ticks from five to zero; when the counter hits zero, the browser is instructed to silently download a file. At the same moment, the page switches to what looks like the Microsoft Store, showing “Zoom Workplace” mid-installation, spinner and all. While the visitor watches what appears to be a legitimate install resolving the problem, the real installer with the spyware has already landed in their Downloads folder without asking for permission and is compromising their system. The installer contains code to prevent it from being analyzed by anti-malware solutions.
“The attackers did not write custom malware,” the blog points out. “They deployed a professionally developed commercial product that is designed to run reliably and persist through restarts. That makes it more durable than many traditional malware strains.”
This campaign does not rely on technical sophistication, the blog adds. “No new hacking technique was used. The attacker built a convincing fake Zoom page, set an automatic download to fire before any visitor has a reason to be suspicious, and used a fake Microsoft Store screen to explain it all away. From click to install takes less than thirty seconds. Someone who was expecting a Zoom invite and saw what looked like a Microsoft installation in progress could easily walk away believing nothing unusual had happened.”
Malwarebytes advises infosec leaders who learn that an employee visited the uswebzoomus site to treat their computer as compromised.