Cybercriminals Target US Citizens with Zoom and SSA Phishing Scams
Cybercriminals are exploiting a clever Zoom phishing scam to distribute ScreenConnect remote access software, potentially enabling them to defraud unsuspecting victims, including Social Security Administration (SSA) beneficiaries. This new scheme, discovered by Cyble Research & Intelligence Labs (CRIL), combines social engineering and technical trickery to gain unauthorized access to victims’ computers.
The scam begins with a phishing email, text, or call claiming to be from trusted sources such as Amazon, PayPal, or even government agencies like the SSA. The victim is informed of an urgent issue—such as a compromised account or a technical support problem—and is directed to call a fake tech support number or click on a malicious link. Under the guise of resolving the issue, the scammer instructs the victim to download ScreenConnect software, which allows the attacker to take control of the victim’s computer.
Once ScreenConnect is installed, the scammer gains full access to the victim’s system. This access enables them to view sensitive information, manipulate files, and initiate fraudulent transactions. In some cases, the scammer tricks the victim into believing they have received an excess refund, pressuring them to “return” the money, which is sent directly to the scammer.
CRIL’s investigation revealed that the ScreenConnect installation connects to a suspicious domain, poyttwq[.]zapto[.]org, hosted on an IP address that also supports another domain involved in SSA-related scams. This suggests that the scammers are using the same infrastructure to carry out various fraudulent activities targeting different groups.
The phishing campaign often uses a Zoom-themed website to trick users into downloading a binary file named Private-Meeting.ClientSetup.exe. This 32-bit binary, containing multiple PE files, extracts an MSI installer that deploys ScreenConnect on the victim’s system. The entire process is designed to appear legitimate, with the ScreenConnect client ultimately connecting to the scammer’s domain.
Scam website prompting to enter secure code | Image: CRIL
Further investigation revealed a connection to a fraudulent website, railindiaticket[.]in, which masquerades as a support page asking users to enter a secure code. A social media post highlighted by CRIL detailed how a user received an email from “support@railindiaticket[.]in,” falsely claiming to be from SSA support, urging the recipient to download a malicious application.
The Social Security Administration (SSA), responsible for administering Social Security benefits to millions of Americans, has become a prime target for these scammers. By impersonating SSA officials, the scammers exploit detailed personal information to gain the trust of their victims. The campaign often culminates in a long-con approach known as “pig butchering,” where the victim is manipulated into handing over valuables or currency during an in-person meeting with someone involved in the scam.
