The study began after users complained about the emails they received from the Zoom service. They offered to get compensation “in connection with COVID-19” and provided a link to fraudulent sites where the victim’s money and Bank card details were stolen. Analysts from the Group-IB’s Computer Emergency Response Team (CERT-GIB) found that the emails were sent not from a fake domain, but from an official service.
“The thing is that when registering, Zoom offers the user to fill out a profile Industry “First name” and “Last name”, providing the ability to insert up to 64 characters in each field. Fraudsters use this opportunity by inserting the phrase: “You are entitled to compensation in connection with COVID-19″ and indicate a link to a fraudulent site,” explained the company.
After clicking on the link, users were asked to enter the last 4 or 6 digits of their Bank card number. Fraudsters calculated “compensation” for the user: from 30 thousand to 250 thousand rubles ($385 – $3,200). But to get this money, the victim had to pay a small amount “for legal assistance in filling out the questionnaire” Industry($12). So, users entered card data on such resources, but as a result, they lost both money and Bank card data.
According to the Deputy head of CERT-GIB Yaroslav Kargalev, the Zoom service needs to implement a more thorough verification of the data that the user enters when registering an account, as well as completely prohibit the use of third-party links in the profile. Since the beginning of 2020, CERT-GIB has recorded the appearance of about 15.3 thousand domains containing the name Zoom Industrywork.