Data Harvester Parading as a Legitimate Application -ZoomInfoContactContributor.exe

01 Aug / 2023

Cyber Security

What is Happening?

Cythera are reporting a significant increase in the installation of a potentially unwanted application called ZoomInfo Contact Contributor. ZoomInfo’s “free” utility to provide users with contact details where access is paid for in a user’s data and not in money. Their application scrapes a large amount with ZoomInfo’s Privacy Policy stating the following:


Information that may be collected from the user’s email client includes the following, if available:

  • Name
  • Email address
  • Job title and department
  • Phone numbers (general or direct business numbers, faxes and/or mobile numbers)
  • Company name
  • Postal address of company
  • Business related postal address of person
  • Corporate website URLs
  • Social media URLs
  • Metadata such as Internet Protocol addresses, the dates email messages are sent or received, and subject line information
  • Email addresses, names, and job titles of recipients and senders

This is not entirely transparent on the part of ZoomInfo. Risk assessments performed by sandboxing tools, indicates further information that ZoomInfo attempts to extract via their application. This includes Microsoft Edge browser history, email credentials and system information. On their website, ZoomInfo claim “we do not track personal browsing history”. ZoomInfo claims to only scrape email headers and signature blocks that are received by community members in addition to claiming that bots analyse that information.

ZoomInfo claim that user’s can “opt out” of their service and have their profile removed from the database. One of Cythera’s SOC Analysts has initiated this process on their own profile and is pending a response from ZoomInfo.

To be clear, there are legitimate use cases for other products in ZoomInfo’s lineup. This blog is to specifically address the “free” Community Edition.

WHAT YOU CAN DO

Implement application level blocks via Endpoint Management tools like Intune and Desktop Central to prevent the application from being installed. Cythera recommend blocking the following:

  • coordinator.exe (SHA256: a094d96e2c4d3ffa26c0b74ddde1448f0acc7f9cdaa7c15cd76d948f3f163a70)
  • ZoomInfoContactContributor.exe (Installer) (SHA256: 2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b)

Implement blocks at the network level to prevent the application attempting to install in the first place. Cythera recommends outbound blocks to the following domains:

  • zoominfo[.]com
  • cswapper.appspot[.]com
  • cswapper.freshcontacts[.]com

Additionally, Cythera are actively hunting for the suspicious indicators associated with ZoomInfo for our customers and we are developing detection rules for our Managed Detection and Response customers.

If you have any questions or concerns, please feel free to reach out to us.

Resources

Resources

You may be interested in

Security Legislation In Australia: Making Sense of the Options and Obligations

In the realm of cyber security, frameworks serve as the backbone for creating, enhancing, and maintaining security protocols. For Australian sec…

Read More arrow_forward

Cythera Announces Partnership with Abnormal Security

Cythera are proud to announce a new technology partnership with Abnormal Security, bringing next generation email protection to our clients.Cyth…

Read More arrow_forward

FORTIGUARD FIREWALL HEAP-BASED BUFFER OVERFLOW VULNERABILITY - CVE-2022-25610

FORTIGUARD FIREWALL HEAP-BASED BUFFER OVERFLOW VULNERABILITY CVE: CVE-2022-25610What is VulnerableFortiOS version 7.2.0 through 7.2.3FortiOS ve…

Read More arrow_forward