The US Federal Bureau of Investigation (FBI) warned today of hijackers who join Zoom video conferences used for online lessons and business meetings with the end goal of disrupting them or for pulling pranks that could be later shared on social media platforms.

"The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language," the warning published by FBI's Boston Division says.

Zoom-bombing incidents

According to FBI Boston's Kristen Setera, two Massachusetts schools within the division's area of responsibility (Maine, Massachusetts, New Hampshire, and Rhode Island) reported such incidents.

During late March 2020, a Massachusetts-based high school reported to the FBI that an unidentified individual(s) joined an online classroom taking place over the Zoom teleconferencing platform, yelling profanities and shouting the teacher’s home address.

In another incident reported by a Massachusetts-based school, an unidentified individual dialed into another Zoom classroom meeting displaying swastika tattoos on his webcam.

"As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called 'Zoom-bombing') are emerging nationwide," the FBI alert added.

Defend against video conference hijacking

Those who use Zoom's online video conference platform to host business meetings or online lectures are advised by the FBI to take a number of measures to prevent future hijacking attempts:

• Do not make meetings or classrooms public: In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.

• Do not share Zoom conference links on public social media: Provide the link directly to specific people.

• Manage screen-sharing options: In Zoom, change screen sharing to 'Host Only.'

• Ensure users keep their Zoom clients up to date: In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.

• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

FBI advises zoom-bombing victims to report such incidents via the FBI’s Internet Crime Complaint Center and any direct threats during a video conference hijacking incident at https://tips.fbi.gov/.

In January, a vulnerability was patched in Zoom's video conference software that could have made it possible for attackers to find and join unprotected Zoom meetings.

Last year, Zoom fixed another security vulnerability (1, 2) that enabled hackers to remotely execute code via a maliciously crafted launch URL on Macs where the app was uninstalled.

A different security issue (1, 2, 3) was patched last year to block remote attackers from forcing Windows, Linux, and macOS users to join video meetings with their cameras forcibly activated.

Zoom also used as bait for phishing and malware

Attackers are also attempting to capitalize on Zoom's increasing user base since the COVID-19 outbreak started by registering hundreds of new Zoom-themed domains that they later use for malicious purposes.

"Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week," as Check Point Research discovered. "Out of these registered domains, 4% have been found to contain suspicious characteristics."

The researchers also spotted malicious files using a zoom-us-zoom_##########.exe naming scheme which launch InstallCore installers that will try to install potentially unwanted apps or malicious payloads depending on the attackers' end goal.

"When using a known brand name in a website, the intention of the malicious actors is usually to hide among other legitimate websites and lure users by impersonating the original website or a relating service and getting the user's credentials, personal information or payment details," Check Point told BleepingComputer.

"Malware infections would usually occur via phishing emails with malicious links or files. The actual malware used can change based on the attackers' capabilities and goals."