Tag Archive for: Zoom

Hackers Exploit Community Meetings to Spread Malware Via Fake Zoom Invites

/in


Hackers have been spoofing invite reminders for virtual meetings at community associations and school boards in a bid to infect attendees with malware.

Email protection provider Avanan noticed(Opens in a new window) the attacks in March. Hackers send out emails that pretend to come from a community group or school board, but the included PDF has been designed to infect a recipient’s PC with malware. 

The scheme leverages how the COVID-19 pandemic caused many people and community groups to adopt video calls as a way to meet online. Now it’s become common for users to encounter invites and reminders for virtual meetings in their email inboxes. 

Unfortunately, hackers know they can exploit the same meetings to spread malware and instigate other nefarious schemes, such as “Zoom bombing.” In this case, Avanan noted the attackers will pretend to send fake meeting invites for the Zoom video-conferencing software. 

Example of one of the attacks.


(Avanan)

“It is easy for this attack to show legitimacy,” the security firm wrote in a blog post. “The association spoofed is legitimate; all public meetings are public records, so the dates can match. With just a PDF, it can easily look like a calendar invite attached to an email.”

When clicked, the PDF-based invite can then forward a user to a website that’ll ask them to download a malicious program to their machine. “The code embeds itself into system memory and can share contents of the local computer with the malicious party,” Avanan added. 

Recommended by Our Editors

Avanan also warns the hackers could easily expand their attacks to target more victims. “There are countless community associations across the country and world. There are also tons of video conferencing platforms to leverage,” the security firm said. 

To avoid getting phished, you should always check the sender address before interacting with an email. If something looks off, the email is most likely spoofed. Another red flag is if the email asks you to download software from an unofficial website. When in doubt, ask the administrator of a community association or school board if they in fact sent out the email in question.

Like What You’re Reading?

Sign up for SecurityWatch

Source…

Five smart ways to use your webcam for more than Zoom meetings.

/in


If you need an image on your computer, you can use your webcam to scan it in.

Remember in early 2020 when we were excited to join Zoom happy hours, and every meeting was a video?

If you still are meeting with clients, co-workers, and friends via video, you might as well look and sound good. Tap or click for my top Zoom tips.

Maybe you’re back to the office or at least not taking as many video calls. One clever use for your webcam, or an old phone or laptop, is to turn it into a security camera. Tap or click here for steps to set it up in under a minute.

Here are five more ways to get your money’s worth out of your webcam:

1. Use it to scan documents to your computer

Taking a photo, cropping it, emailing it to yourself, then uploading it or attaching it to another email is a pain. If you need an image on your computer, use your webcam. Even a decent webcam is good enough to scan a document for you.

On a Mac:

• Open Photo Booth. Your webcam will automatically open.

• Place your document in front of the webcam and line it up on the screen.

Source…

Zoom merger with Five9 scrutinized over ties to China • The Register

/in


Zoom’s ties to China are at the center of a US government investigation into the video-conferencing giant’s $15bn plan to take over Five9, a California call-center-in-the-cloud.

The snappily titled Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector – known as Team Telecom under a previous president – is right now probing the planned acquisition. This interagency panel is chaired by Attorney General Merrick Garland, and has reps from the Pentagon and Homeland Security.

The FCC was reviewing an application [PDF] by Zoom and Five9 as part of the takeover bid until the regulator was asked by Justice Department official David Plotinsky to hold off until the committee had finished scrutinizing the overall deal.

In a letter dated August 27, and spotted this week on the FCC website by the WSJ, Plotinsky told the FCC that the committee is considering whether the acquisition of Five9 poses “a risk to the national security or law enforcement interests of the United States.”

The Dept of Justice “believes that such risk may be raised by the foreign participation (including the foreign relationships and ownership) associated with the application,” he continued, “and a review by the committee is necessary to assess and make an appropriate recommendation as to how the [FCC] should adjudicate this application.”

woman clicks the wrong thing on laptop, covers mouth from shock

Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg

READ MORE

By foreign relationships and ownership, officials are referring to Zoom’s links with Beijing. Not only was its encryption not that strong nor end-to-end, it also was spotted routing connections through China. Zoom promised to beef up its security, especially so when Uncle Sam found the vid-chat giant fell short of those promises.

Zoom also closed the paid-for account of US-based Chinese activists after they held an international Zoom meeting marking the 31st…

Source…

Security Researchers Find Zoom Vulnerabilities That Would Have Let Bad Actors Take Over Your Computer

/in


A pair of security researchers revealed several zero-day vulnerabilities in Zoom in recent days that would have let hackers take over someone’s computer even if the victim hadn’t clicked anything. Zoom confirmed to Gizmodo that it released a server-side update to address the vulnerabilities on Friday and that users did not need to take additional action.

The vulnerabilities were identified by Dutch researchers Daan Keuper and Thijs Alkemade from Computest Security, a cybersecurity and risk management company, as part of the Pwn2Own 2021 hacking competition hosted by the Zero Day Initiative. Although not many specifics are known about the vulnerabilities because of the competition’s disclosure policy, in essence, the researchers used a three-bug chain in the Zoom desktop app to carry out a remote code execution exploit on the target system. 

The user did not need to click anything for the attack to successfully hijack their computer. You can see the bug in action below.

According to MalwareBytes Labs, which cited a response from Zoom, the attack needed to originate from an accepted external contact or be part of the target’s same organizational account. It also specifically affected Zoom Chat, the company’s messaging platform, but did not affect in-session chat in Zoom meetings and Zoom video webinars.

Keuper and Alkemade won $US200,000 ($262,380) for their discovery. This was the first time the competition featured the “Enterprise Communications” category — given how acquainted all of us are with our screens because of covid-19, it’s no wonder why — and Zoom was a participant and sponsor of the event.

In a statement on Keuper and Alkemade’s win, Computest said that the researchers were able to almost completely take over the targeted systems, performing actions such as turning on the camera, turning on the microphone, reading emails, checking the screen, and downloading browser history.

“Zoom took the headlines last year because of…

Source…