Phishing campaign caught spoofing Zoom

The campaign impersonates Zoom emails, but steals the Microsoft account credentials of its victims, says security firm Abnormal Security.

Phishing campaign caught spoofing Zoom

As people have been forced to work from home due to the coronavirus outbreak, there's been a surge in the use of virtual meeting programs to stay in touch with colleagues and co-workers. Cybercriminals have been happy to exploit all aspects of the coronavirus, and that includes this move toward remote working. A new phishing campaign spotted by Abormal Security takes advantage of the popularity of Zoom to try to capture account credentials of unsuspecting users.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Mimicking a real Zoom notification, the initial phishing email tells recipients that they've recently missed a scheduled meeting. The email contains a link that promises more details and a recording of the meeting. To lend legitimacy, the message is formatted with the potential victim's username, while the link also contains the username. To add a sense of urgency, the email states that Zoom will keep the message only for another 48 hours.

Clicking the link takes the user to a malicious landing page hosted on "zoom-#####-web.app" (the # signs all change between attacks). Impersonating an actual Microsoft login page, the landing page asks users to sign in with their Microsoft account credentials to access the Zoom meeting information. The login page displays the name of the user's organization and the Zoom name above the login location. If the person does indeed sign in, their Microsoft account credentials are stolen by the attacker.

Though the campaign is spoofing Zoom, the actual intent is to steal Microsoft account information, which criminals can then use to access a treasure trove of sensitive information. The attackers try to hide their location by using an array of VPN sources. But, in all the attacks analyzed, the emails looked similar, the messages were sent during a short period of time and they all used the same VPN services. Those clues led Abnormal Security to believe that they've all been coordinated attacks by the same individual or group.

As people working from home jump from one virtual meeting to another, meeting notifications and invitations have become pervasive. As such, people who receive these phishing emails may automatically and unknowingly follow the link and sign in with their Microsoft account credentials.

How can individuals protect themselves from phishing emails that impersonate Zoom? Ken Liao, VP of cybersecurity strategy at Abnormal Security, offers the following tips:

  1. Always double-check the authenticity of each link: Is the URL in the link something you would expect based on the context of the email? We see many attackers leveraging redirects or unrelated links in order to avoid spoof email security tools that check for malicious links. We see many attackers who host landing pages on entirely unrelated URLs that they appear to have hijacked and control.
  2. Make sure that Zoom invites come from trusted sources.
  3. Avoid logging in from the links provided in emails. Instead log in directly to the Zoom site.

Also see