Zoom and WebEx users targeted by credential stealing attempts

Users of popular videoconferencing services such as Zoom and Cisco WebEx should be on their guard against phishing attacks that seek to steal their service credentials, according to Proofpoint’s senior director of threat research, Sherrod DeGrippo, who has been tracking an uptick in videoconferencing-themed attacks since the end of March.

The latest wave of attempted cyber attacks predictably focuses on the Covid-19 coronavirus pandemic, which has seen millions of people switch to working from home to comply with national lockdown regulations.

DeGrippo said: “Videoconferencing has become very popular very quickly. Attackers have noticed and moved to capitalise on that popularity and brand strength. Not only are attackers using videoconferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.

“This points to the increasing value of compromised videoconferencing accounts. Stolen account credentials could be used to log in to corporate videoconferencing accounts and violate confidentiality. They could also be sold on the black market or used to gain further information about potential targets for launching additional attacks.”

The credential-stealing attacks do not hinge on any vulnerabilities in either Zoom or WebEx, but rather exploit the services’ names and brands as themes in social engineering lures, enticing victims to enter their passwords on a fraudulent website in order to fix a problem or receive an upgrade.

DeGrippo said she had observed variants of both attacks targeting organisations in the accounting, aerospace, energy, government, healthcare, manufacturing, technology and telecoms, and transport sectors.

The WebEx attacks purport to come from admin email addresses that, at first glance, could be legitimate Cisco addresses, and will generally have subject lines such as “Critical Update”, “Alert!”, or “Your account access will be limited”.

The targets are told that they need to upgrade their WebEx clients to fix a cyber security vulnerability in the Docker Engine Configuration in Cisco CloudCenter Orchestrator, a legitimate vulnerability (CVE-2016-9923) first disclosed some time ago, and which was fixed – such as it pertains to Cisco products – in a December 2016 patch. If they click on the link, they will be redirected to a fake website that asks for their WebEx username and password.

The attacks on Zoom target similar sectors, and take the form of a welcome wagon, trying to get their targets to click a link to activate their new Zoom account. The link redirects to a generic webmail page on which they are asked to enter their credentials. A second variant of this lure claims the recipient missed their Zoom meeting and includes a link they can use to “check your missed conference”. Almost needless to say, the link does nothing of the kind.

DeGrippo said another particularly dangerous campaign targeting Zoom users had been seen aimed at businesses in the construction, energy, manufacturing, marketing and technology sectors. It uses similar lures exploiting Zoom, but in reality is distributing the ServLoader/NetSupport remote access trojans (Rats). If enabled, these malicious executables will be able to access files and information on the victim’s system.

The message identified thanks the target for responding to a fake request for quotation (RFQ), includes an attachment that relates to the RFQ, and offers a Zoom call to discuss further. Subject lines spotted in the wild include “[Company name] Meeting cancelled – Could we do a Zoom call?” and “[Company] – I won’t make it to [various US states] – Could we talk over Zoom?”.

More information on the latest campaigns can be found here.