Security News > 2020 > July > Zoom's Vanity URLs Could Have Been Abused for Phishing Attacks

An issue related to the Zoom feature that allows for the customization of meeting URLs could have been exploited for phishing attacks, Check Point reveals.
The recently identified security issue, Check Point says, is related to the Zoom Vanity URL, a custom URL that organizations are required to use when looking to enable single sign-on.
Although the invitation would seem as being sent from the legitimate Vanity URL of the spoofed organization, the URL would actually point to a subdomain registered by the attacker with a name similar to the one of the target.
An attacker could also target the dedicated Zoom web interfaces that some organizations use for video conferencing to exploit the bug by redirecting the user to a malicious Vanity URL. "Without particular cybersecurity training on how to recognize the appropriate URL, a user receiving this invitation may not recognize that the invitation was not genuine or issued from an actual or real organization," Check Point notes.
"Because Zoom has become one of the world's leading communication channels for businesses, governments and consumers, it's critical that threat actors are prevented from exploiting Zoom for criminal purposes. Working together with Zoom's security team, we have helped Zoom provide users globally with a safer, simpler and trusted communication experience so they can take full advantage of the service's benefits," Adi Ikan, Group Manager at Check Point Research, commented.
News URL
Related news
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Cloudflare outage caused by botched blocking of phishing URL (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- YouTube warns of AI-generated video of its CEO used in phishing attacks (source)
- Ukrainian military targeted in new Signal spear-phishing attacks (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)