Popular video conferencing tools are facing another huge swathe of cyber attacks as criminals look to steal user login details.
According to experts at security firm Proofpoint, services such as Zoom and WebEx have become popular targets for criminals, with a number of new scams emerging online in recent weeks.
The scams include phishing attacks to steal user login details, allowing hackers access into a company’s network to cause havoc and spread malware.
- Zoom apologizes for major security vulnerabilities, promises fixes
- Best online collaboration tools of 2020: software for shared work and communications
- ‘Zoom-bombing’ is now a federal offense in the US
This included a phishing email scam where a message entitled “Zoom Account” pretends to welcome a user to their new Zoom account. The victim is then encouraged to activate their accounts by entering their login details on a different landing page, however this false site simply steals the information.
Also witnessed was an email claiming the recipient had missed a Zoom meeting, with the victim then told to click on a link to “Check your missed conference”. However this also takes the victim to a fake Zoom page where their logins are again stolen.
Cisco WebEx users were targeted by an email scam that claiming to be from the company, and using the correct logos and email domains. The message claims that the recipient needs to update their software in order to fix a security vulnerability – however once again, clicking the included link leads users to a phishing page where their details are harvested.
In addition, Zoom has tapped bug bounty guru Katie Moussouris, who launched both Microsoft and the Pentagon’s bug bounty programs, to reboot its own bug bounty program. Moussouris, who heads Luta Security, “will be assessing Zoom’s program holistically with a 90-day ‘get well’ plan, which will cover all internal vulnerability handling processes,” the company says.
This week, Zoom also announced that it’s also getting additional help from cybersecurity consultancies NCC Group, Trail of Bits, Bishop Fox and Praetorian Security, as well as threat intelligence services from CrowdStrike and Queen Associates’ DarkTower. To bolster its encryption capabilities over the longer term, Zoom this week also brought in as consultants Lea Kissner, who formerly headed privacy technology for Google, as well as Matthew Green, a renowned cryptographer and Johns Hopkins University professor who’s previously published deep dives into Zoom’s encryption.
“Many people are doing the best they can during a very hard time. This includes Zoom’s engineers, who are dealing with an unprecedented surge of users, and somehow managing to keep their service from falling over,” Green wrote in an April 3 blog post. “They deserve a lot of credit for this. It seems almost unfair to criticize the company over some hypothetical security concerns right now. But at the end of the day, this stuff is important.”
