Zoom, in collaboration with Checkpoint Technology Ltd., resolved an issue with the vanity URLs. The issue prompted an attacker to impersonate an organization’s Vanity URL link and send invitations which appeared to be legitimate in order to trick a victim.
What is a Vanity URL?
Zoom lets users create their own Vanity URL, which is described on its website as a custom URL for your company, such as yourcompany.zoom.us.
The Vanity URL mechanism allows organizations to create a customised version of Zoom’s invitations links.
Before the issue was resolved, a hacker was able impersonate an organisation’s Vanity URL link and send invitations that appeared to be legitimate.
How hackers managed to phish
The issues with the URL gave scope to the hackers to direct the victim to a sub-domain dedicated website, where the victim entered the relevant meeting ID and would not be made aware that the invitation did not come from the legitimate organization, Checkpoint mentioned in its blog post.
According to Checkpoint, there were many relevant day-to-day scenarios that could have been potentially leveraged using the impersonation method, which could have resulted in a successful phishing attempt.
Speaking on the new collaboration and resolving the issue related to phishing in Zoom, Adi Ikan, Network Research & Protection Group Manager in Check Point said in the blog post: “Our partnership with Zoom has provided Zoom users globally with a safer, simpler and seamless communication experience."
He added: “Check Point Research is dedicated to improve and thrive towards safer technologies, better-secured infrastructures, and generally to enrich the greater intelligence community, and will continue such efforts by liaising with product leaders such as Zoom.”
Online conferencing app Zoom has been into the limelight for all the right and wrong reasons. While it facilitated work from home by helping users carry out meetings online amidst the pandemic, it has also been called out for security issues.
Earlier in April, The Cyber Coordination Centre (CyCord) under the Ministry of Home Affairs (MHA) had also released an advisory on the use of the Zoom video-calling app. The advisory directed government officials to not use the app for official purposes.
India’s Cyber Emergency Response Team (CERT-In) had also issued multiple warnings previously on the use of the Zoom app for video conferencing, Gadgetsnow reported.