Photo Credit: Proofpoint
Zoom is a rapidly growing video conferencing service that is being used by more than 200 million users. But the service has been in the news for all the wrong reasons, including security flaws and vulnerabilities. Now, another threat to Zoom users has been reportedly spotted. Hackers are using credential phishing emails to gain access to Zoom users' account details. According to a report, hackers are targeting individuals and businesses in the transportation, manufacturing, technology, business, and aerospace sectors in the US.
Owing to the ongoing coronavirus pandemic, offices, schools, and other organisations have switched to video conferencing as a means of communication. This has led to the massive increase in user base for services like Zoom.
In an analysis published by Proofpoint, it was found that credential phishing is being used to gain access to user account details. Phishing is the process of deceiving and luring users into sharing their account details.
The report states hackers are using emails to target multiple sectors in the US. The emails seems to come from an “admin account” like “Rouncube Admin” or "admin@servewebteam[.]gq" and contains the subject line “Zoom Account.” The body of this mail seems to welcome users to Zoom and gives them a link to activate their account. This link takes the user to a “generic webmail landing page” where they are asked to enter their credentials.
Another phishing email discovered by Proofpoint tries to lure Zoom users with a “missed meeting” message. The mail claims that the user has missed a Zoom meeting and gives a link through which the recipient can check their missed conference. Clicking on the link takes the user to a Zoom page that looks quite official but, Proofpoint claims it is a “spoofed Zoom page.” The user is asked to enter credentials here.
A smaller campaign targeting manufacturing, industrial, marketing/advertising, technology, IT and construction companies tries to infect users with ServLoader/NetSupport remote access Trojans. The mail thanks the recipient for responding to a fake RFQ (Request for Quotation) and offers to have a Zoom call. The subject line in these mails can be “[Company] Meeting cancelled - Could we do a Zoom call”, “[Company] - I won't make it to Arizona - Could we talk over Zoom?”, “The [Company] - I won't make it to Tennessee - Can we talk over Zoom?”, and other variations.
It was also found that a large agricultural firm was sent an attachment that required it to “enable macros” after which a ServLoader PowerShell script is executed and that installs NetSupport, a remote-control application.
With most of the people using video conferencing as a means of communication during the ongoing coronavirus pandemic, the threats against their privacy and security seem to be increasing. However, it should be noted that this latest threat is not Zoom's fault in particular.