Written By: Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan, A Check Point Company
Virtual community and school board meetings have been commonplace over the last two years. Instead of gathering in person, these meetings, often held over Zoom, have been critical to keeping the community involved.
While most meetings have returned in-person, they are often still live streamed on Zoom. This helps preserve community access.
However, there represents a risk to these live-streamed events. while many might be familiar with Zoom-bombing, that insidious practice of a hacker jumping onto a Zoom and introducing malicious or explicit content, there’s another method that hackers have found to exploit such calls.
Starting in March 2022, Avanan researchers have seen how hackers have spoofed reminders of community and school board invitations, by attaching what looks like a Zoom invitation. Instead, the attachment is a malicious PDF. In this attack brief, Avanan will analyze how hackers are spoofing important community meetings to spread malware.
In this attack, hackers are taking advantage of popular community and school meetings to generate malicious attachments that look like Zoom invites. Clicking on the PDF attachment doesn’t go to a Zoom invite; rather, it’s a chance to spread malware
- Vector: Email
- Type: Credential Harvesting, Malicious File
- Techniques: Spoofing, Brand Impersonation
- Target: Any end-user
In this attack, threat actors are spoofing community and school organizations to send malware in lieu of invitations to live stream a public meeting.
Email Example #1
The email appears to come from a community organization. The PDF does not contain meeting details, but rather is a malicious download.
Hackers are spoofing community organizations to send malware.
In the email campaign, users see what looks like a reminder of a board meeting, with a PDF that would appear to have Zoom or other conference details. Instead, it links to a malicious download.
This is a particularly clever technique, as folks are still inclined to expect virtual invitations for community and school meetings.
It is easy for this attack to show legitimacy. The association spoofed is legitimate; all public meetings are public records, so the dates can match. With just a PDF, it can easily look like a calendar invite attached to an email.
Even as events return in-person, they will probably remain live-streamed for the foreseeable future. That makes attacks like these potentially very profitable for hackers, and one that can last for some time. Beyond that, there are countless community associations across the country and world. There are also tons of video conferencing platforms to leverage.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Check sender address before interacting with any email
- Always hover over any link to see the destination URL before clicking on it
- Ask the administrators of the community association or school board if they in fact sent that email.