Credential harvesting — How Zoom opened the phishing floodgates

Teleconferencing tools saw a surge in usage — and it was the perfect time for attackers to strike.
2 September 2020

An ‘unsecure endpoint’? Source: Shutterstock

  • Video conferencing tools have seen a spike in adoption and registered users
  • Bad actors are seen to employ phishing approaches to steal login credentials 

Video conferencing tech has been a lifeline for businesses, helping them sustain operations and communications amid the surreal events of 2020. But this sudden reliance was a vulnerability that some were ready to exploit. 

Teleconferencing tools saw a surge in usage. Zoom enjoyed a hike in users from about 10 million daily meeting participants last December to 300 million in April this year. In the thick of lockdowns, users flocked to the tools to conduct business meetings, but also birthday celebrations, wedding anniversaries, chemistry lessons, and everything else. 

The use of videoconferencing for matters of both work and personal life, however, meant a lot of new users setting up and learning how to navigate cloud-based videoconferencing tools in a few minutes, before being bombarded by various invitations from various accounts. Many users will have naturally been tempted to reuse familiar login credentials or even share accounts with friends and family.

Those circumstances represent a prime opportunity for themed phishing attacks. Software company INKY early on began observing an explosion of fake meeting invitations that impersonate Zoom.

In the first few weeks of summer, the firm stopped approximately 5,000 of these phishing attacks. It also found 13 unique phishing templates, all designed to lure Zoom users into giving up the kinds of confidential credentials that allow cybercriminals to steal billions of dollars each year and cost over US$3.5 billion in monetary losses to individuals and businesses last year. 

These attacks, if successful, can provide attackers access to entire enterprise networks and, with average losses per company of nearly US$75,000 per incident in 2019, can spell the end of small to medium-sized businesses.

Many fell victim to these scams because fake login pages look utterly convincing as hackers copy and paste real source code from legitimate companies. When users enter their login credentials, the data goes directly to hackers via emails or stored on a compromised server. 

When bad actors are able to steal login credentials successfully, they often sell the stolen accounts on the dark web. In April, cybersecurity firm Cyble discovered more than half a million Zoom accounts for sale on hacker forums for less than a cent each. 

Credential harvesting through phishing is also noted in the gaming platforms where, similarly, the industry saw a peak in usage amid the pandemic. Despite account takeovers being an issue in both social networking and gaming platforms, some gaming accounts are more valuable because of the hard-to-obtain virtual items.

Last month, Night Lion Security found Fornite accounts being sold online on the black market. The market for stolen video game accounts generates US$1 billion annually, and tens of thousands of Fortnite accounts are sold daily for about US$200 to US$250.