As a huge chunk of the world’s population is staying at home because of social distancing measures, video-conferencing businesses saw an opportunity to expand their freemium offers. Zoom was one of the first companies to give business users free access to its app in a bid to keep businesses running despite the ensuing pandemic. After about a month of schools being closed to stave off the virus’s spread, the company also offered expanded free access for students and teachers.

Given the overall circumstances, Zoom hit a record-breaking 62 million downloads within a single week in March. All was well until news of so-called “Zoom-bombing” attacks broke. In Zoom-bombing attacks, threat actors join ongoing meetings uninvited. While some disrupt meetings with outbursts or sharing pornographic images and content, others may be spying on attendees in hopes of obtaining proprietary information.

Zoom-bombing isn’t the only threat that users should watch out for, though, as we recently saw a spike in Zoom-related domain registrations via our domain intelligence source, Typosquatting Data Feed. Cyber attackers may be preparing for more sinister schemes in the days to come.

A Rise in Zoom-Related Bulk Domain Registrations

Akin to the rise in coronavirus-themed domain registrations we’re seeing as the pandemic ensues, the volume of Zoom-related domains registered in bulk throughout March indicates a similar trend.

We collated the domains containing the term “zoom” from our typosquatting data feeds dated 1—31 March 2020 and found a total of 251 entries. The chart below shows the number of domains registered per day.

Notice the peak in domain registrations toward the end of March. It coincides with the rising number of attacks targeting Zoom users. We can’t say for sure if these newly registered domains (NRDs) had to do with any of these cyber attacks or others. That would require thorough investigation.

However, it certainly wouldn’t hurt to take additional precautions when dealing with unknown links sporting these domains sent via email, chat messages, or direct messages on social media. Some URLs could be malicious and thus put systems or worse identities at great risk.

Domain Intelligence: A Deeper Dive into Zoom-Themed Names

Among the 251 domains that contained the term “zoom,” some were notable in that they can figure in phishing and other cyber attacks. For instance, a “supposed” colleague (i.e., a cybercriminal in disguise) could send you a seemingly harmless link that turns out to lead to a phishing or malware download page.

Such a URL could look like that of an exercise group’s that you might be interested to join (e.g., zoomba[.]online, zoomyoga[.]us, zoompilates[.]studio, etc.) or a hobbyists’ video-conferencing page (e.g., dekorazoom[.]com, paintzoom[.]site, zoomcature[.]com, etc.). Other notable domains that may figure in attacks could be:

• Zoom-dating[.]com, zoomdating[.]events, and zoomdating[.]singles (targeting those looking to meet potential partners)
• Zoomvirtualbackgrounds[.]shop, zoomvirtualbackground[.]com, zoomvirtualbackgrounds[.]store, zoomvirtualbackground[.]shop, zoomvirtualbackgrounds[.]net, zoomvirtualbackgrounds[.]club, zoomvirtualbackgrounds[.]top, zoomvirtualbackgrounds[.]vip, and zoomvirtualbackgrounds[.]online (targeting those who want to customize their video-conferencing backgrounds)
• Zoomuniversity[.]net, zoom-university[.]com, zoomuniversity[.]store, zoomclassroom[.]live, zoomclassroom[.]solutions, zoomclassroom[.]org, zoomclassroom[.]info, zoomclassroom[.]website, zoomclassrooms[.]com, zoomclassroom[.]online, zoomclassroom[.]net, zoomclassroom[.]us, zoomschool[.]club, zoomschool[.]info, zoomschool[.]net, schoolbyzoom[.]com, schoolbyzoom[.]net, schoolbyzoom[.]info, and schoolbyzoom[.]org (targeting students and teachers)
• Zoom[.]digital, zoom[.]college, zoom[.]cafe, zoomettabar[.]com, zoomettabar[.]org, and zoomettabar[.]win (targeting those who miss interacting with their friends)
• Thezoomshow[.]world, thezoomshow[.]com, thezoomshow[.]org, thezoomshow[.]info, thezoom-show[.]com, zoomconcert[.]com, zoomconcerts[.]com, and zoomconcerts[.]org (targeting those in search of entertainment)
• Legalshield-zoom[.]com, legslshieldzoom[.]com, zoomdivorce-mediation[.]com, zoom-divorcemediation[.]com, zoomdivorcemediation[.]com, zoomintherapy[.]info, zoomintherapy[.]us, zoomintherapy[.]net, zoommobilemed[.]net, zoommobilemed[.]site, zoommobilemed[.]info, zoommobilemed[.]com, zoommobilemed[.]online, zoommobilemed[.]biz, zoomadoc[.]net, zoomadoc[.]org, zoomadoc[.]com, zoomadoc[.]info, zoomadoc[.]biz, and zoomadoc[.]mobi (targeting those seeking legal aid, psychiatric/psychological help, and medical consultation)

Among the 251 NRDs indicated in the March 2020 typosquatting data feeds, security specialists need to at least pay more attention to the following sites cited for ties to phishing and malware attacks on Threat Intelligence Platform (TIP):

• Legalshield-zoom[.]com
• Legslshieldzoom[.]com
• Zoomintherapy[.]info
• Zoomintherapy[.]net
• Zoomags[.]com
• Zoomyogi[.]com
• Zoombooms[.]com
• Persianzoom[.]com
• Persianzoom[.]net
• Zoomkiller[.]net
• Zoomkiller[.]com
• Zoomarchery[.]com
• Zoomwiz[.]media

While the domains may not be outright malicious, erring on the side of caution is advised because the alternative can translate to a data breach that would not only cause victims financial but also reputational damage.

As Zoom continues to work toward making its app more secure against threats, users should also do their share in protecting their privacy and data. Scrutinizing the messages they receive, especially from unknown sources, and the links embedded in these is important.

Using additional intelligence sources such as the Typosquatting Data Feed for monitoring and blocking suspicious bulk domain registrations should the need arise for large enterprises is also recommended.