TurkeyBombing Puts New Twist on Zoom Abuse

Threat actors already stole nearly 4,000 credentials before the holiday was even over, according to report.

Millions of family and friends, forced to spend Thanksgiving socially distant, are being targeted by cybercriminals as they turn to video platforms like Zoom to virtually be together. In this ongoing attack, cybersecurity experts warn, victims are targeted with a Zoom-related and Thanksgiving-specific hook reminiscent to ZoomBoming — call it TurkeyBombing.

On Thursday, a security researcher warned that a major phishing campaign kicked off over the Thanksgiving long weekend and is aimed at stealing Microsoft credentials. Attackers have already successfully pried credentials out of thousands of users, according to the researcher who goes by the handle TheAnalyst.  According to the researcher, quoted in a BleepingComputer report, the attack is ongoing and forecast to continue.

The Turkey-Day themed email ploy leverages the juggernaut popularity of the Zoom Video Communications platform. Bogus messages are being sent en masse and falsely tell recipients, “You received a video conference invitation,” according to TheAnalyst. Messages, naturally, included a link to review the malicious invitation.

The link leads victims to a fake Microsoft login page hosted on a Google domain, Appspot.com. The domain is used primarily by developers to host web applications in the Google-managed data center.

According to the report when a victim is brought to the phishing page, their email address pre-populates the login field of the landing page. Next, they are prompted to enter their associated Microsoft account password.

If someone takes the bait, the phishing page not only records the victims’ email addresses and passwords, but also their IP addresses and geographic location. If it is determined the credentials successfully allow access to a privileged account, the attackers attempted to breach the account via Internet Message Access Protocol (IMAP) credential verification.

IMAP is a type of protocol used by companies and email services to offer direct access to emails on a email server.

Millions Targeted, Thousands Fall Victim

As of the time of the original report, attackers had stolen more than 3,600 unique email credentials. Given the that millions will likely connected with loved ones virtually to celebrate Thanksgiving this year, that number could be much higher, the expert said.

Indeed, the day after Thanksgiving, Twitter was abuzz with tweets not only about people’s various Zoom meetings with family and friends, but also about numerous special events hosted on Zoom to celebrate the holiday.

Anticipating the Thanksgiving usage surge, the company had even removed the usual 40-minute limit on meetings for all of its free user accounts from midnight ET on Thursday, Nov. 26, through 6 a.m. ET Friday, Nov. 27, “so your family gatherings don’t get cut short,” the company said in a blog post.

Zoom Marketing Blitz, Ideal for TurkeyBombing

Zoom Phishing Attack Targets Thanksgiving Conference CallsSince its rise in popularity that started in March at the beginning of the pandemic when many aspects of every-day life moved online, Zoom has been plagued with security issues.

ZoomBombing became the initial way hackers would break into video conferences, using the ease with which they could access links to Zoom conferences and jump on calls uninvited to disrupt them with pornography, hate speech or even physical threats to users.

Zoom eventually made a tweak to its user interface by removing meeting ID numbers from the title bar of its client interface to mitigate the attacks from threat actors. Before the tweak, anyone could join a Zoom meeting if they knew the meeting link, which many users would send via social-media channels.

A raft of other security threats emerged soon after, forcing Zoom to take various actions to mitigate and eliminate these threats. Among these moves include patching zero-day flaws in its MacOS client that could give local, unprivileged attackers root privilege allowing access to victims’ microphone and camera.

Zoom also eliminated a feature called LinkedIn Sales Navigator that came under fire for “undisclosed data mining” of users’ names and email addresses, which the service used to match them with their LinkedIn profiles.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.  Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.