Cybercriminals are currently deploying highly convincing, cloned landing pages for Zoom and Google Meet to distribute malicious software. Unlike traditional phishing attempts seeking credentials, this operation focuses on installing Remote Monitoring and Management (RMM) tools. These tools allow unauthorized actors to gain total administrative control over victim machines.
The Mechanics of Deception
The campaign begins with a fraudulent invitation delivered through compromised email accounts or messaging platforms. These messages leverage urgency, citing a mandatory technical update or a security patch required to join an active meeting. When a user clicks the link, they arrive at a spoofed landing page mimicking the official branding and user interface of Zoom or Google Meet. To increase legitimacy, some variants include scripted participants already waiting in the lobby. These pages often feature audio loops of background office noise and chime sounds for new attendees.
The payload involves a prompt to download an update resolving a simulated microphone or connection issue. The downloaded file is often a legitimate, digitally signed RMM tool repurposed for unauthorized surveillance. Because these tools are legitimate commercial products, they frequently bypass signature-based antivirus detection and do not appear in the list of installed programs.
This strategy aligns with broader industry shifts where attackers prioritize high-fidelity impersonation over technical complexity. modern adversaries are increasingly "logging in" rather than "breaking in." By using legitimate tools and deceptive domains, they effectively bypass traditional firewalls struggling to distinguish between a regular user and an intruder.
Exploiting Human Routine and Trust
These operations are engineered with precision, relying on predictable human error and Typo Squatting where attackers register domain names nearly indistinguishable from legitimate organizations. By using common misspellings or character omissions, they intercept traffic from users who may not notice a minor discrepancy in the address bar. Once the page loads and the branding looks correct, the moment of trust is where the trap closes.
Bypassing Traditional HTTPS Security
This campaign specifically evades standard network security monitoring. While the initial landing pages use HTTPS to provide a false sense of security, the malicious traffic generated by the RMM tools remains hidden within encrypted sessions. Attackers use HTTPS tunneling and TLS-encrypted traffic to mask communication between the compromised device and their command-and-control servers. By blending in with legitimate corporate traffic, these tools remain active for extended periods without triggering network alarms.
Key Indicators of Compromise
Current observations identify several red flags and specific domains associated with these attacks. Vigilance is essential to prevent successful exploitation.
- Domain Name: Legitimate platforms use zoom.us or meet.google.com, while scams use addresses like uswebzoomus[.]com or googlemeetinterview[.]click.
Installation: Official apps update automatically through stores, but scams require manual downloads of MSI or BAT files. - Urgency: Legitimate services rarely require updates to join, whereas scams insist on fixes before entry.
- Verification: Scams often use fabricated entities like "Google Meet Video Communications, Inc."
Protecting the System
To defend against these social engineering tactics, users and organisations should adopt a multi-layered security approach. Always confirm meeting invitations through a secondary communication channel if the request arrives unexpectedly. The address bar is a security boundary; manually typing the exact web address into the browser address bar for any sensitive transaction bypasses search engines and AI systems entirely. Limiting the ability of standard users to install software prevents the execution of malicious RMM tools. Accessing meetings through pre-installed desktop or mobile applications rather than following browser-based prompts for new software provides the best protection against these cloned environments.
- Log in to post comments