Credential Harvesting Attacks Take Aim at Video Meeting Apps

online video meetings

Users of Zoom and other video conference tools should be aware of the growing risk of impersonation attacks. Even the use of other video platforms to keep in touch with friends on a social level now poses higher security risks.

A report released this month by Eli Sanders, chief data scientist at INKY, attempted to raise awareness of this growing vulnerability. INKY is a cloud-based email security platform that uses artificial intelligence to spot signs of fraud, along with spam and malware.

INKY researchers identified attacks stemming from Australia, Germany, the U.S., and elsewhere. Cybercriminals are capitalizing on the exponential increase of users turning to Zoom and Teams to collaborate across work and friend networks.

Phishing Frenzy

Zoom has seen an unprecedented rise in new users this year, primarily driven by COVID-19 pandemic lockdowns. This web-based video conferencing giant jumped from 10 million daily meeting participants last December to 300 million this April.

This meteoric rise in users caused a “veritable phishing frenzy” where cybercriminals around the globe are trying to capitalize on opportunities for scams and fraud. These include an explosion of fake meeting invitations that impersonate Zoom and Teams in phishing forays that attempt to steal users’ confidential details.

“Some users might not be aware of precautions or [be] familiar with how Zoom works. The goal of this phishing campaign is to steal Microsoft credentials, but you don’t actually need to log into a Microsoft account to attend a Zoom conference,” Sanders told TechNewsWorld.

A related issue called “Zoom bombing” is also prevalent. Trolls and hackers disrupt non-password-protected public conferences by uploading offensive graphic content, malicious links, and malware, he added.

Other platforms are risky, too. Bad actors also send similar phishing emails that impersonate Microsoft Teams, Skype, RingCentral, and Cisco Webex.

Why the Fuss?

When someone’s login credentials are stolen, the thieves sell the information on the Dark Web to multiple bad actors. The phisher also has immediate access to the victim’s Microsoft account, so they can view all emails, access sensitive uploads on OneDrive, or send phishing emails from that compromised account, Sanders explained.

INKY claimed its technology stopped approximately 5,000 of these phishing attacks. The company highlighted the origin and attack mechanism of 13 unique phishing templates, all designed to lure Zoom users into giving up the kinds of confidential credentials that allow cybercriminals to steal billions of dollars each year.

Average losses per company totaled nearly US$75,000 per incident in 2019. These types of phishing attacks can doom small-to-mid-sized businesses. Not surprisingly, that “Zoom & Doom” expression is part of the INKY report title.

Zoom’s newcomer status and the rush to adjust to working from home contributed to making the video platform a prevalent target for attack. Zoom has lots of new users since students and workers now rely on it to replace in-person meetings, agreed Sanders.

Always Be On Guard

Knowing that these phishing scams are on the rise — big time — is one thing. Being able to prevent falling victim to them is something else.

Common phishing lures are fake notifications delivered in voicemail, new document alerts, and account updates. The attackers’ goal is usually credential harvesting or installing malware with an email attachment, according to Sanders.

A basic step that organizations can provide to their staff is user awareness training to help those who normally interact with these phishing attacks learn to be suspicious of their email.

One tactic is for the user to manually check for clues that can be rather obvious. For instance, look for unknown senders, hover over a link (without clicking) to reveal the URL embedded behind it, and be suspicious of attachments, Sanders suggested.

Many companies also have a previous investment in security email gateways (SEGs) to attempt to spot these malicious emails. But bad actors are creative and fool the user and these legacy systems all the time, he noted.

These platforms can be easily accessed by both work computers and mobile devices. On phones and tablets, smaller screens hide a lot of the red flags employees have been trained to spot, according to Hank Schless, senior manager for security solutions at Lookout.

“The devices will also shorten the name of the file or URL being delivered by the threat actor. This makes it difficult to spot a suspicious document or website name,” he told TechNewsWorld.

If the user clicks on the malicious link and goes to the phishing page, it may be close to impossible to spot the differences between the real and fake pages. If employees are not familiar with the platform’s interface, it is unlikely that they will be able to spot any giveaways of the phishing page or even question why they’re being asked to login, in the first place, explained Schless.

Dangers Lurk

Even before COVID-19 and global remote work, bad actors routinely used fake Google G-Suite and Microsoft Office 365 links to try to phish a company’s employees. The number of people using Zoom and Teams has increased dramatically, with everyone forced to work from home.

Malicious actors know new users are unfamiliar with the apps. So the cybercriminals exploit using both malicious URLs and fake message attachments to bring targets to phishing pages, Schless noted.

Mobile phishing rates are 200 percent higher for users of Office 365 and G-Suite than those without them, according to Lookout data. Employees are much more likely to engage with a link or document if it looks like it’s part of the app ecosystem you already use.

“When your employees are outside the office and on the go, there is a high likelihood they are going to be reviewing documents on mobile devices,” he added.

Matters like this will likely be an issue on every type of platform forever. This is just a 2020 version of phishing or spear phishing (sending targeted fake emails), according to Bryan Becker, product manager at WhiteHat Security.

“Even video game platforms have this issue with criminals using these techniques to steal virtual currencies,” he told TechNewsWorld.

All one has to do is look at one of the most recent major phishing campaigns carried out against Twitter users, observed Becker.

“The recent happenings at Twitter are a perfect example of the potential dangers that lurk beneath the attacks,” he said.

He was referring to the July 30 announcement Twitter officials made about the unprecedented July 15 phone spear-phishing attack targeting 130 people, including CEOs, celebrities, and politicians. The attackers took control of 45 of those accounts and used them to send tweets promoting a basic Bitcoin scam.

Ruses Revealed

INKY’s report pointed out multiple techniques attackers used in the Zoom and Teams campaigns. Sanders highlighted a few of those techniques:

  • Malicious links to fake O365 or Outlook login pages, where a simple copy/paste of actual HTML/source code from Microsoft makes it look very convincing to the user;
  • HTML attachments that build the fake login page as localhost on the user’s computer. Including an attachment prevents SEGs from finding the link on an industry blocklist/reputation checker. Also, the attachments are encoded, so they are not readable by humans or the typical SEG;
  • The attacker personalizes the phishing email with information from the user’s email address. Attackers add the user’s or company’s name as part of the From Display Name, email content, malicious link (created dynamically), zoom meeting name;
  • Fake logos that are actually just text and CSS tricks to make it appear as a logo in order to get by the SEG.

Sanders detailed other tricks that attackers used to pull off the phishing assaults. For instance, they used hijacked accounts to get past any SPF or DKIM checks or created new domains with realistic-sounding names to trick users, such as Zoom Communications.com or Zoom VideoConfrence.com.

Did you notice the spelling error? Spelling and grammar mistakes are typical clues to an attack. But many users simply do not notice such things.

While some hijacked accounts are well known and can be found on industry blocklists, the new accounts are attempting to implement a zero-day attack to bypass the SEG, Sanders explained. Eventually, they get discovered and blocked. But in the meantime, they can get through the SEGs.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Hacking

Technewsworld Channels