9 Zoom Scams Experts Are Warning About
Before you schedule another virtual happy-hour with your friends or a work meeting with colleagues over Zoom, you might want to consider who else might be listening in.
The popularity of online meetings
At the end of 2019, the Zoom video conferencing platform had about 10 million users. By late April, with most of the country sheltering in place, that figure had surged to over 200 million. Zoom isn’t the only video conferencing platform seeing a major uptick in users since the World Health Organization (WHO) declared COVID-19 a pandemic in early March; others include Cisco’s Webex, Google’s Hangouts and Meet platforms, Microsoft’s Teams, and GoToMeeting. However, Zoom has gained the most notoriety for its security vulnerabilities. Most notably, one concern is that virtually anyone could silently crash meetings (and listen in on whatever you were saying) were discovered and resolved before social distancing began in the United States, while others came to light only as social distancing became more prevalent. Here are the Zoom vulnerabilities you should still be aware of. When you’re video conferencing for work, make sure to follow these rules to keep things professional.
Is Zoom sharing your user data with Facebook?
In late March, Vice made a startling revelation: the Zoom iOS app was sending personal user data to Facebook. Although the leaked data didn’t contain “passwords, phone numbers, or nuggets of information from conversations,” it did make it easier for Facebook to inundate users with targeted ads. Although Zoom dealt with this particular security issue by pulling its “Login with Facebook” feature (according to CNET, it took less than a day), please bear in mind that logging into one app through another is terrible as it ups your risk of getting hacked.
On March 30, the FBI issued a public warning about Zoom’s security vulnerabilities. Although in this case, the FBI was less concerned about keeping user information private (although, of course, that is always an important consideration) than it was with hackers planting inappropriate content, including pornographic content, hate images (e.g., swastikas), threatening language, and even revelations of private information. For example, a Massachusetts Zoom class was interrupted by a hacker displaying swastika tattoos who shouted profanities and revealed the home address of the teacher. The FBI has advised educators to protect video calls with passwords.
In late March, cybersecurity thought leader, BleepingComputer discovered that people accessing Zoom’s chat capabilities via Windows opened them up to password theft. In early April, Zoom released a software patch to put a stop to this practice, but Forbes recommended Windows users take the precaution of disabling “outgoing NTLM traffic” by finding “Windows Settings” and then choosing “Security Settings,” then “Local Policies,” then “Security Options,” then “Network Security,” then “Restrict NTLM: Outgoing NTLM traffic to remote servers.” Speaking of passwords, here are 12 password mistakes hackers are just hoping you’ll make.
Also in late March, the Intercept dropped the bombshell that despite Zoom’s claims to the contrary, Zoom does not protect the privacy of its users with end-to-end encryption (E2E). “End-to-end encryption scrambles messages in such a way that they can be deciphered only by the sender and the intended recipient,” the New York Times explains. Without E2E, not only can Zoom spy on private video meetings, but it can also be subpoenaed in a court case to turn over meeting recordings. In late April, Zoom announced it was offering E2E for video calls…for paid video calls only. Here’s a particularly evil phishing scam that takes advantage of your feelings of job insecurity during the pandemic.
Another thing about those recorded meetings
Zoom-meeting video recordings saved on the Zoom cloud can easily be discovered and viewed, a security researcher, Phil Guimond, discovered in mid-April, according to CNET, and, worse, that remains true even after you think you’ve erased it. After Guidmond noticed that recordings of Zoom meetings stored on the cloud all seem to have a predictable URL structure and that not all Zoom meeting recordings were password-protected, he built a tool that proved how vulnerable that cloud storage actually was. To defeat the tool, Zoom added a “Captcha” challenge, but that only works to eliminate hackers in the form of bots. “The URL pattern is still the same, and attackers could still try to open each generated result manually,” Guimond reports. The lesson here? Always password protect your recorded Zoom meetings.
Leaked emails and photos
“Zoom is leaking personal information of at least thousands of users, including their email address and photo,” it was revealed in early April, by Vice, which explained this came about because Zoom’s algorithm considers all people with the same email domain name as part of the same “company.” In other words, Gmail users are lumped into the same “company directory” with other Gmail users, making all visible to one other. As of May 21, this issue has not been fully resolved, but a software update is preventing Zoom users on the same email domain from being able to automatically search for one another. You’ll be particularly wary of this one after you find out everything a hacker can do with your email address.
This one’s on you…
Zoom users who install Zoom using any installing software other than that provided by Zoom itself run the risk of installing malware onto their computers that can seriously mess up your computer’s performance (e.g., suddenly speeding up or slowing down your processes). Although Zoom has not done anything to fix this, it’s not Zoom’s problem to fix, points out Tom’s Guide. The easiest way to avoid this problem is ignoring all emails, social media posts, pop-up messages, and the like promising to install Zoom on your computer for you. In addition, you might want to consider running a good antivirus program on your computer. Here are 20 cybersecurity secrets hackers really wish we wouldn’t tell you.
When cybersecurity experts talk about “zero-day” exploits, they’re referring to vulnerabilities hackers have discovered but have not yet taken advantage of. Because the software maker is unaware of these vulnerabilities until the hackers unleash them, they have “zero days” to come up with a defense or work-around. According to Vice, hackers are on the dark web offering to sell such exploits to the highest bidders. While zero-day exploits may exist and be available for purchase, most are entirely theoretical at this point, including one that supposedly allows a remote attacker to take control of the victim’s computer (asking price: $500,000). By the way, Zoom is not the only platform scammers use—you should keep an eye out for Facebook scams, too.
In recent weeks, thousands of domain names that look, feel, and sound a lot like Zoom—but are in no way connected to Zoom, have been registered by would-be hackers. Once these would-be hackers take over these domains they send emails (or texts or other communications) from them to Zoom users, asking the user to provide personal information or to click on a link that either releases their personal information automatically or otherwise set off a malicious attack on the user’s computer (including ransomware attacks that take control of the computer until the user pays “ransom” for its release). Here’s what some of the subject lines might look like:
- Welcome to “Zoom”: In this version of a phishing expedition, the hacker encourages the victim to “activate” their Zoom account by entering private information such as login credentials.
- You missed a “meeting”: In this version, the victim is told they missed a Zoom meeting, for which a link is provided. The link, however, takes the victim to a fake Zoom page, where their private information, including login credentials, can be stolen.
- Time to update your Zoom software: In this version, the victim is made to think they’re taking good care of their computer when actually they’re not.
In response, Zoom said in a statement to TechRadar Pro, “Users across all services and technology platforms should be cautious with emails, links, or files received from unknown senders, and that users should take care to only click on authentic links or open attachments to known and trusted service providers. Zoom users should be aware that links to our platform will only ever have a zoom.us or zoom.com domain name.” Zoom goes on to remind users to review the URL for spelling errors before clicking on any links. Luckily, being able to recognize these signs you’re about to fall for a phishing email can keep you from falling victim.
Be your own security expert
Follow these best practices for using video conferencing platforms securely:
- Take advantage of Waiting Rooms if your platform makes them available
- Use unique passwords
- Don’t share meeting info on social channels
- When you log in, use a web browser, not the app, which is probably less secure
- Make sure your users are who they say they are before commencing the meeting
- Make use of virtual backgrounds (because you may not realize what information your home background reveals about you)
- Remove problematic participants
Next, read on for 18 secrets from people who never get hacked.