top of page
  • Admin

Zoom On In To Really Check That IcedID

Published: August 18, 2023 on our newsletter Security Fraud News & Alerts Newsletter.



Recently, Cyble researchers discovered that a phishing campaign was targeting Zoom users. Of course, this isn’t the first time. Remember 2020? The massive uptick in Zoom use created a cornucopia of opportunities for attackers then. In this case, the goal of the campaign was to get users to download IcedID onto their devices. IcedID is a type of malware that is designed to steal financial and banking info from unsuspecting users.


The website used in the phishing scam this time looked exactly like Zoom's real website. That’s an example of website spoofing. Often, you may hear the term typosquatting. That is when the user’s typos result in taking them to a website that may look like the official site, but isn’t. In any case, these websites were created specifically to do damage to Zoom users and to look identical to actual Zoom.


Usually, IcedID spreads via Office documents (example at bottom of article), but this time the bad actors got creative and used a fake Zoom website to try to deliver the Trojan. When users arrived at the fake website, they were greeted with a download button. Once clicked, the installer file was sent to them.



If a user executed the installer, then files were dropped in the %temp% folder and the IcedID malware was off and running.


Cyble researchers said that IcedID is a long-lasting malware. They mentioned that it targeted and has affected users all around the globe. The report noted that threat actors are always changing the techniques they use to avoid being detected, which is why sometimes it's difficult for malware and other security threats to be discovered right away.


And this makes it especially important that everyone stays on top of ongoing threats. They usually don’t come around just once.



Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com

Comments


bottom of page