Millions of family & friends in the US, who were forced to spend Thanksgiving socially distant, were being targeted by cyber-criminals as they turned to video platforms like Zoom to be virtually together.
In this ongoing attack, cyber-security experts warn, victims were targeted with a Zoom-related & Thanksgiving-specific ‘hook’ similar to Zoom Bombing — so let us call it ‘Turkey Bombing.’
Threat players already stole nearly 4,000 credentials before the US Thanksgiving holiday was even over, according to a report.
Last Thur., a security researcher cautioned that a major phishing campaign would commence over the US Thanksgiving long weekend & was aimed at stealing Microsoft credentials.
Attackers had already successfully teased credentials out of 1,000s of users, according to the researcher who goes by the handle The Analyst. Says this researcher, quoted by a Bleeping Computer report, the attack is ‘ongoing’ & likely to continue.
The ‘Turkey-Day’ themed email scam uses the huge popularity of Zoom. Bogus messages are being sent in scale & falsely tell recipients, “You received a video conference invitation,” according to The Analyst. Messages included a link to review the malicious invitation.
This link takes victims to a fake Microsoft login page hosted on a Google domain, Appspot.com. The domain is used mainly by developers to host web applications in the Google-managed data centre.
According to the report, when a victim is brought to the phishing page, their email address pre-populates the login field of the landing page. &, they are prompted to enter their associated Microsoft account password.
If someone takes the lure, the phishing page not only records the victims’ email addresses & passwords, but also their IP addresses & geographic location.
If it is determined the credentials successfully allow access to a privileged account, the attackers attempted to breach the account via Internet Message Access Protocol (IMAP) credential verification.
IMAP is a type of protocol used by companies & email services to offer direct access to emails on an email server.
Millions Targeted, 1,000s Fall Victim
By the time of the initial report, attackers had taken more than 3,600 unique email credentials. Given that millions in the US have just connected with loved ones virtually to celebrate Thanksgiving this year, that number could now be much higher, the expert said.
Just after Thanksgiving, Twitter was alive with tweets not only about people’s various Zoom meetings with family & friends, but also about many special events hosted on Zoom connected to the holiday.
Prior to the Thanksgiving use increase, the company had removed their normal 40-minute meeting limit for all of its free user accounts from midnight ET on Thurs, Nov. 26, until 6 a.m. ET Friday, Nov. 27, “so your family gatherings don’t get cut short,” the company explained in a blog post.
Zoom Marketing Blitz
Since its increase in popularity starting March at the start of the Covid-19 pandemic when many parts of normal life moved online, Zoom has been fraught with security issues.
Zoom Bombing became the first way hackers would break into video conferences, using the ease with which they could access links to Zoom conferences & jump on calls uninvited to disrupt them with pornography, hate speech or physical threats to users.
Zoom made a ‘tweak’ to its user interface by removing meeting ID numbers from the title bar of its client interface to mitigate the attacks from threat players. Before this tweak, anyone could join a Zoom meeting if they knew the meeting link, which many users would send via social-media channels.
Other security threats surfaced afterwards, making Zoom take actions to mitigate & eliminate these threats. These moves include patching zero-day flaws in its MacOS client that could give local, unprivileged attackers root privilege allowing access to victims’ microphone & camera.
Zoom also removed a feature called ‘LinkedIn Sales Navigator’ that came under attack for “undisclosed data mining” of users’ names & email addresses, which was then used to match them with their LinkedIn profiles.