Check Point experts said that back in January 2020, they helped Zoom to fix the Vanity URL link issue, which could allow hackers to pose as employees of a victim company.
That is, attackers could send invitations to Zoom business meetings that looked like links originating from the victims’ companies.Vanity URL represents the URL of a specific company and looks like a link in the format like yourcompany.zoom.us. The company may mark this page with its logo and other trademarks. To join such a corporate meeting, users just need to follow the Vanity link.
Of course, where people go, criminals will follow. So it’s no surprise that the explosive growth in Zoom usage has been matched by an increase in new domain registrations with names including the word ’Zoom’, indicating that cyber-criminals are targeting Zoom domains as phishing bait to lure victims. We have also detected malicious files impersonating Zoom’s installation program”, — said Check Point researches.
By sending an invitation with the victim’s Vanity URL to that company’s customers, hackers could become trusted senders and intercept credentials and other sensitive information. That is, the URL will point to the subdomain registered by the attacker, but with a name similar to the name of the desired company.
Researchers say that previously, attackers could manipulate Vanity URLs in two ways:
- Direct link targeting: When organizing a meeting, a hacker could change the invitation URL to include a registered subdomain of his choice. In other words, if the original link was in the format https://zoom.us/j/###########, the attacker could change it to https://
.zoom.us/j/########## . And the user receiving such an invitation might not recognize whether this invitation was fake or whether it was created by that real organization. - Focus on proprietary Zoom web interfaces: Some organizations have their own Zoom web interface for conferencing. The hacker could customize the victim’s company interface and could try to redirect the user to a malicious link. As in the previous case, without special knowledge, the victim could not immediately recognize the fake link.
Check Point also presented a video about the work:
We also recently shared that Cybercriminals Sell Exploits for 0-Day Zoom Vulnerability.