With most organizations switching to work from home to prevent the spread of COVID-19, tools related to remote work and the cloud have surged in popularity in recent weeks. Zoom is one of the most popular cloud-based enterprise communication platforms and offers chat, video and audio conferencing, and options to host webinars and virtual meetings online.
With this sudden spike in Zoom use, attackers are increasingly seeking to take advantage of users with a variety of tactics. One of the most common recent examples of this is a technique called war-dialing or Zoom bombing, where an unauthorized user joins or hijacks an unsecured Zoom session. Organizations have attempted to quickly respond to this Zoom bombing trend by instilling passwords and attempting to lock down Zoom accounts. With increased publicity of Zoom bombing, some attackers are registering new fake Zoom-related domains, which attempt to trick people into downloading malware while others are seeking to compromise Zoom accounts and offer them for sale on hacking forums.
Malicious Domains Share Insecure Zoom Meetings and Call IDs
Malicious domains have been stood up to both share legitimate Zoom links to encourage Zoom bombing as well as to trick users with fraudulent meeting links. In March 2020, Alpha Team identified approximately 5343 ‘Zoom’ domains were newly registered. By April 4, over 10,000 additional new domains had been registered. In a sampling of 1700 of the new domains, only 4% of them contained suspicious characteristics or malware, according to ZeroFOX researchers, meaning that the large majority of suspicious domains are not yet being used with malicious intent – but could be in the future. While a lot of nefarious domain activity is related to Zoom, other online collaboration platforms are also being spoofed to trick victims. This domain activity appears to utilize the same tactic applied in past notable events in order to increase the likelihood of a target opening a malicious payload. Phishing lures and domains themed around COVID-19 have also significantly increased in usage during the same time frame.
Threat actors are using the malicious Zoom-themed domains to trick victims into downloading cryptocurrency miners, remote access trojans, and adware bundles. One of the particularly malicious domains, discovered by ZeroFOX researchers, attempts to deliver a potentially unwanted program (PUP) called InstallCore. This PUP has the ability to drop secondary payloads, disable User Access Control (UAC), add files to be launched on startup, install browser extensions, and alter browsers’ configuration and settings.
ZeroFOX has also identified entire websites dedicated to sharing insecure Zoom call IDs, like this one, below, for sharing digital learning links. These sites provide a convenient way for attackers to quickly identify new targets.
Zoom Credentials for Sale
As another example of the exploitation of the increased use of Zoom, criminals have been offering compromised Zoom account credentials for sale. Although these sales ads do not specify the method with which these accounts have been compromised, one of the most commonly used methods is credential stuffing. This tactic involves brute force login attempts, where a list of passwords (often generated with breached passwords from other sites) is tried until the attacker achieves a successful login.
On one of the few hacking forums still allowing Zoom account sales, Alpha Team identified over 4,000 cracked accounts for sale.
Separately, Alpha Team identified approximately 3,600 freely available Zoom accounts across multiple dark web forums. Available information includes: Zoom username, password, meeting IDs and meeting passwords, with this information either linked from these forums to paste sites or hosted on paste sites directly. Across these accounts, 413 unique domains were identified across 39 industries. The overwhelming majority of these email addresses belong to the Education industry. 75 unique Higher Education email domains were in this dataset, with Telecom coming in second at 13 unique domains, and Financial services at 6 unique domains.
The term ‘Zoom bombing’ is all over the news right now, and for good reason as it poses a legitimate threat to organizations. Zoom bombing, or war dialing, is possible because meeting IDs are hardcoded in Zoom URLs. Attackers are able to brute-force meeting ID values until an active meeting is found. Zoom bombing, specifically, refers to attackers gaining access to unsecured calls and leveraging the call for their own devices. This may involve simply disrupting the call, or could potentially involve an attacker recording or eavesdropping on the call without the intended meeting participants’ knowledge.
A similar string of attacks occurred against Amazon Ring security cameras in December 2019. Lax Ring security protocols allowed hackers to compromise devices and interact with users, often harassing them. Because of the publicity of these attacks, moderators of the hacking forums used to organize these Ring hacks banned the discussion of the devices, in an attempt to fly under law enforcement’s radar.
Similar chatter has begun to circulate through the forums, with users concerned that Zoom bombing will draw unwanted attention. In many of the forums ZeroFOX monitors, all posts referencing Zoom appear to have been purged. Although cached posts referencing Zoom can be seen in search results, attempting to access these threads displays an error stating, “The specified thread does not exist.”
As hacking forums have restricted discussion of Zoom, chatter has shifted onto Discord channels. Many of these channel links are shared on social media platforms to improve visibility. Since April 06, 2020, ZeroFOX has identified over 15,000 social media posts containing invite links to Zoom-bombing related Discord servers.
Companies who use Zoom need to adjust their security posture to prepare for Zoom bombings. Alpha Team has analyzed thousands of webpages on the surface web containing public Zoom URLs. These URLs are structured as a regular expression: https://zoom.us/j/\d+. Alpha Team found approximately 16,200 websites that contain a public invite link for Zoom meetings. Attackers can use these URLs to directly connect to meetings, and if insecure, they can interact in the chat, display video or share their screen. Of these URLs, 45 total industries were identified. Higher Education was the highest industry that displayed public Zoom links, Professional Services was second and K-12 School Districts were third.
In Summary: Secure Your Zoom Meetings
The increase in use of video conferencing software such as Zoom has also sparked an increase in threat actors targeting the platform. Although Zoom has recently released an update to default to secure meeting configurations, and has paused feature updates for the next 90 days in order to focus on security and privacy, attackers are still able to abuse the platform and profit off of compromised account sales.
Threat actors are likely to continue creating Zoom-related domains to deceive victims into installing malware or conduct other malicious activities as long as Zoom remains a popular collaboration tool. Threat actors involved in this type of activity are constantly tracking popular topics like Zoom, or even COVID-19, because they can receive an influx in traffic to their domains. As Zoom and other video conferencing services become less vulnerable and novell, threat actors will set up new infrastructure to capitalize on the next hot topic and vulnerability, whatever it may be.
To best protect your organizations from these risks, here’s what ZeroFOX recommends:
- If you believe your Zoom account has been compromised, immediately change your password
- Enable 2-factor authentication for all of your organizational accounts to help mitigate phishing and credential stuffing attacks
- If your organization uses Zoom or any other video conferencing software, ensure that you have enabled password-protected meeting invites.
- Beware of lookalike domains and avoid clicking directly on links embedded in emails. Threat actors often use URL shorteners to make malicious links more appealing
How ZeroFOX is Responding
ZeroFOX Alpha Team has disclosed these findings to Zoom as well as to law enforcement for victim notification. Current ZeroFOX customers will be notified of any leaked teleconferencing URLs, phishing domains and other video-conferencing threats directly within the ZeroFOX Platform. As advanced threats emerge, ZeroFOX is providing customers the ability to secure and gain visibility into collaboration platforms, like Zoom, that traditional cybersecurity tools miss. Ensure secure password-enabled meetings, identify malicious and fraudulent Zoom links, and protect credentials on Zoom. ZeroFOX is offering a 15 day trial of Zoom protection to stop attacks like the ones listed here. More information and activation for your organization is available here.