Since March 27, 2020, Proofpoint researchers have observed an increase in video conferencing company-themed attacks seeking to steal credentials and distribute malware. These lures capitalise on the global workforce’s shift to remote work and consequential increased demand for video conferencing services during the Covid-19 pandemic.
To note, these attacks do not leverage or attack video conferencing software directly. Threat actors are using the names and brands of these video conferencing companies as themes in their social engineering lures, which lead to the theft of various account credentials, malware distribution, or credential harvesting for these spoofed video conferencing accounts.
The emails you need to look out for:
Credential phish: Zoom account
This medium-sized campaign has targeted energy, manufacturing, and business services in the US and is designed to steal user credentials. The message body includes a lure that claims to welcome users to their new Zoom account.
Emails in this campaign arrive with a subject line of “Zoom Account” and purport to be from an admin account. In the sample in Figure 1, the message claims to come from “Rouncube Admin”. Other email lures claim to be from “admin@servewebteam[.]gq”.
The message body includes a lure that welcomes users to their new Zoom account and contains a link, which the recipient is urged to click in order to activate their Zoom account. When clicked, users are taken to a generic webmail landing page and asked to enter their credentials.
Credential phish: Missed Zoom meeting
This small campaign targets transportation, manufacturing, technology, business services, and aerospace companies in the US and seeks to steal user credentials using a lure around a missed meeting. The emails arrive claiming that the recipient missed a Zoom meeting and includes a link the recipient can use to “Check your missed conference”.
If the recipient clicks on the link, they are taken to a spoofed Zoom page and asked for their Zoom credentials.
Credential phish: Cisco WebEx “Alert!” “Your account access will be limited!”
This small campaign attempted to harvest WebEx users’ credentials with emails claiming that recipients need to take immediate action to address a WebEx security vulnerability. Industries targeted include technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing companies.
This campaign claims to come from addresses such as “cisco@webex[.]com” or “meetings@webex[.]com” and uses subject lines such as: “Critical Update!” , “Alert!”, “Critical Update!”, “Your account access will be limited!” or “Your account access will be limited in 24h.”
The emails claim that the recipient needs to update their WebEx client to “fix” a security vulnerability in the Docker Engine Configuration in Cisco CloudCentre Orchestrator. The messages very prominently abuse the Cisco WebEx logo and spoof the format of Cisco’s security advisories. They also appear to draw text and images from a legitimate Cisco advisory. If the recipient clicks on the link, they are taken to the page which asks for the user’s WebEx credentials.
As video teleconferencing has become more important than ever to the global workforce, it’s not surprising that attackers are moving to adapt their themes and lures to include prominent video conferencing providers like WebEx and Zoom. With more and more organisations shifting to remote work, we can expect these video teleconferencing brands to continue to be used as themes in social engineering lures for the foreseeable future.
“Video conferencing has become very popular very quickly, in the Middle East, as well as globally. Attackers have noticed and moved to capitalise on that popularity and brand strength. Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials. This points to the increasing value of compromised video conferencing accounts. Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks”, said Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint.