Hackers are using fake video conferencing messages in order to steal Office 365 credentials, as part of a ransomware campaign.
False Zoom notifications are now being used by cyber-criminals to target Office 365 users in a new phishing campaign to steal credentials.
Researchers at Abnormal Security say Microsoft Office 365 users in corporate environments are the focus of the operation. In a blog post, victims are told that Zoom accounts have been ‘suspended.’
Spoofs
The victims get an email sent from an email address that spoofs the official Zoom email address. It impersonates an automated notification from Zoom, & claims that the recipient will not be able to use the service, until they ‘use the link provided in the email’ to ‘activate’ their account again.
The email has a link hidden inside the text that then redirects to a page which is hosted on an unrelated domain (hijacked by the attackers). This link further redirects to a fake Microsoft login page hosted on another domain.
Impersonates
Though the email impersonates the Zoom brand, the attacker is targeting the recipient’s Microsoft credentials, which can then be used to access a larger amount of sensitive information.
“Should recipients fall victim to this attack, their Microsoft login credentials as well as any other information stored on those accounts will be compromised,” explained researchers.
To date, the phishing campaign impersonating automated Zoom account suspension alerts has arrived in over 50,000 mailboxes, based on stats supplied by researchers.
Trust
The targets of the campaign are much more willing to trust these emails at the moment, because the number of remote workers participating in daily online meetings via video conferencing platforms such as Zoom has dramatically increased, because of stay-at-home orders \ pandemic lock-downs.
James McQuiggan, Security Awareness Advocate at KnowBe4, outlined that cyber-criminals are moving their attention away from an email containing information about package deliveries, or airline tickets, to fake calendar invites now.
Attack Vector
“This attack vector provides cyber criminals with another method to steal user credentials to either sell or leverage them to gain access to an organisation for additional reconnaissance or exploitation,” he commented.
He further added that using the ‘human nature fear of missing out’, a meeting invite or expiry of an account email encourages the end-user to click the link, so as to avoid missing a meeting, or losing privileges to their outside world connection.
“With the current pandemic, most remote employees find the Zoom meeting, & meeting invites, as a means to maintain their human socialisation requirements,” explained McQuiggan.
Phishing
Chad Anderson, Senior Security Researcher at Domain Tools, observed that because of improving knowledge in cyber-security, the majority of workplaces do a good job in protecting employees from phishing attacks.
“However, as much as we advance, so do cyber-criminals. As we up our game, so do they. And in order to get around our more robust gateways, they build more creative & targeted attacks, finding any threat vector they can to get inside,” he commented.
Exponential Increase
“In this case, the exponential increase in the adoption of Zoom during the lock-down made it a very appealing target to impersonate, as it allows criminals to cast a wide net of potential victims.
Also, as most people need to be able to log into their Zoom as part of their day to day work, an email saying the account has been suspended creates an understandable sense of urgency” he concluded.
