How to Spot Fake Zoom Links Scammers Are Using to Steal Your Crypto

Hackers are attempting to steal the cryptocurrency holdings of Zoom users through a complex phishing-based malware distribution scheme, according to a cybersecurity engineer.

In a Twitter thread earlier this week, a pseudonymous cybersecurity engineer and NFT collector NFT_Dreww.eth drew attention to the new scheme. “Scammers are getting extremely sophisticated, and have evolved their tactics to impersonate zoom which, if downloaded, takes everything from your device... Over $300K stolen so far…” he wrote.

Drew explained that criminals usually approach would-be victims with some made up opportunity. The examples given are claiming to want to license their intellectual property, bring them in as guests to a Twitter space, asking them to be angel investors or join their project’s team.

They then insist on discussing the opportunity via Zoom, which gives the scammers an opportunity to share the malicious link. The attackers also use high-pressure tactics, like sending a screenshot of a Zoom call full of people waiting for the victim.

Even if the victim has Zoom installed, the legitimate-looking page will show a loading screen as it downloads ZoomInstallerFull.exe. But it's really the malware masquerading as a Zoom installer that will then prompt the victim to accept terms and conditions that Windows users are accustomed to seeing when they install new software.

Once the “installation” is complete, the call loading page keeps spinning until at some point it redirects the victim to the legitimate Zoom website. Drew concluded that this is aimed at making “it seem like it was just a glitch or taking forever to load.” When this takes place, the malware has already been executed and has completed its function.

When the file is executed, the malware immediately executes and lodges itself into the Windows Defender exclusion list—which leads to Windows being unable to block it. At this point, the malware begins executing its payload and extracting user information while the victim is busy staring at the spinning loading video call screen and accepting pretend terms and conditions.

Drew highlighted that in this case, virus detection software might fail to catch this type of malware.

“When you are dealing with malware to this degree, often times tools fail to catch this, such as Virus Total," he wrote. "All of these tools are meant as a check and should not be meant as a source of truth, Virus Total is great but if you are not specific in what you are searching, it can end up hurting you."

Artem Irgebaev, Smart Contract Triager at Immunefi, told Decrypt that “antivirus effectiveness depends on whether that malware was encrypted before being sent to the target. I would say that in most cases, it is not effective at all since Threat Actors prepare their attacks on high-value targets and encrypt their malware before engaging with the potential victim.”

Sudipan Sinha, Core Contributor at RiskLayer and CEO at Chainrisk Labs further highlighted that “relying solely on antivirus software has its shortcomings.” He explained that “zero-day exploits, which are entirely new and unknown to antivirus databases, pose a significant challenge.

Moreover, antivirus software cannot safeguard against social engineering tactics that deceive users into unwittingly downloading malware. Therefore, while antivirus software is a vital component of cybersecurity defense, comprehensive protection against sophisticated attacks often requires additional layers of security measures and user awareness.”

Realistic zoom links

The format of the links involved in this phishing campaign closely resembles legitimate Zoom links. As explained by Drew, Zoom uses the zoom.us domain with subdomains based on location, with a U.S.-based user potentially being redirected to us02web.zoom.us.

The malicious links, on the other hand, use the zoom subdomain of the us50web.us domain. At a glance, the resulting zoom.us50web.us may appear legitimate—thanks in no small part to the confusing naming scheme of Zoom domains and subdomains. Alternatively, Drew also cites the us50web-zoom.us domain as an example.

“Its super important to know that a  "-" does not make something a sub-domain, that's a part of a top-level domain, which tricks a lot of people,” he explained.

Drew highlighted that it takes a lot of attention not to fall for a social engineering attack like this one.

“It's extremely easy to fall for this...  I doubt 80% of people verify each character in a link that's sent, especially a Zoom link,” Drew concluded. Similarly, Irgebaev noted that “using a fake Zoom domain is very creative, which increases the number of people likely to be tricked into downloading malware.”

Crypto crime is nothing new

As reported earlier this week, Europol’s latest Internet Organized Crime Threat Assessment showed that crypto crime continues to evolve. Furthermore, researchers suggest that it is going to only get worse since encryption and decentralization make privacy increasingly well-protected:

“Decentralization, blockchain technology, and P2P networks will continue to provide opportunities for cyber offenders as they make it easier to carry out transactions anonymously and out of sight of the authorities,” the authors wrote.

Edited by Stacy Elliott.