Zoom Impersonation Attacks Aim to Steal Credentials

Zoom scam phishing credentials

The Better Business Bureau warns of phishing messages with the Zoom logo that tell recipients they have a missed meeting or suspended account.

A new Zoom-themed phishing attack is circulating through email, text and social media messages, aiming to steal credentials for the videoconferencing service.

The Better Business Bureau (BBB) warned last week that the attack uses Zoom’s logo, and in a message tells recipients that their Zoom accounts were suspended and to click a link to reactivate; or that they missed a Zoom meeting, and to click a link to see the details and reschedule.

Another recent variant of the attack has been a message welcoming some recipients to the platform and requesting they click on a link to activate the account, said the BBB.

In all cases, victims are taken to a phishing landing page, where they are asked to input their Zoom credentials.

“This [phishing scam] isn’t surprising, since attackers always update their phishing lures to take advantage of ongoing trends and events,” said Stu Sjouwermen with KnowBe4, on Tuesday.

According to the BBB, scammers registered more than 2,449 Zoom-related domains from late April to early May. Cybercriminals and scammers are utilizing these domain names, which include the word “Zoom,” to send emails that look like they are coming from the official videoconferencing service.

“No matter what kind of phishing message you receive, scammers hope you will click on the link they’ve included in their email,” according to the BBB. “These links can download malware onto your computer or lead you to a page where you are prompted to enter your login information. Entering your username and password gives scammers access to your account and any other account that uses a similar login and password combination.”

The phishing scam comes amidst the wave of remote workers driven home by the coronavirus pandemic, who have come to rely on online collaboration tools like Zoom and other platforms. BBB said, with Zoom’s usage exponentially growing in 2020, these credentials are invaluable for attackers. For instance, a database shared on an underground forum in April contained more than 2,300 compromised Zoom credentials.

“Naturally, this has attracted the attention of hackers and scammers,” said the BBB. “With a huge user base to target, con artists are using old tricks in new scams to try to steal your information.”

Compromised Zoom credentials could give cybercriminals access to web conference calls, where sensitive files, intellectual property data and financial information are shared. Cybercriminals can also use these credentials for social-engineering purposes — ultimately leading to attacks like business email compromise efforts.

Attackers can also use these types of compromised credentials to launch denial-of-service attacks, also known as “Zoom bombing.” Despite the FBI cracking down on Zoom-bombing earlier this year, the practice continues to plague Zoom users, with a recent Thanksgiving Zoom-bombing attack that was labeled “TurkeyBombing.”

Potential victims can protect themselves from these types of scams by double-checking the sender’s information – as Zoom.com and Zoom.us are the only official domains for Zoom, said the BBB. Also, recipients should never click on links in unsolicited emails, they said.

“Phishing scams always involve getting an unsuspecting individual to click on a link or file sent in an email that will download dangerous malware onto their computer,” they said. “If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.