Watch out for Fake Zoom Meeting Emails That Were Set up to Steal Your Password

Zoom Phishing Attack

There are so many active phishing campaigns at any given time, that covering all of them is physically impossible. And even if it was, most of the scams are either too small or not very well executed, and they don't warrant any special attention. Researchers from Sophos, however, recently spotted a wave of scam messages, and they reckon that they deserve a mention. Let's see why.

Phishers use scare tactics to scam home office workers out of their passwords

The researchers spotted a couple of variations of the same email. It's safe to assume that the message is primarily aimed at people who have been forced to work from home during the COVID-19 pandemic because it's supposed to be a reminder of a scheduled Zoom meeting that is about to start. The "CEO and Management Board" of the target's employer are supposedly expected to take part, and so are people from the human resources department as well as some bean counters. The recipient of the message is told that there will be a Q1 performance review, and a line at the end of the email states that the purpose of the meeting is "Contract Suspension/Termination Trial."

It's not the perfect phishing email. The wording's a bit awkward in places, and the more observant users might spot one or two typos. As you can see, however, the phishers have put a lot of effort into ensuring that the victims are too apprehensive to notice the mistakes. The crooks have actually outdone themselves in this particular aspect.

Businesses are struggling, and unemployment is soaring because of the current crisis. In light of this, even the smallest suggestion that a person's job might be under threat is bound to put them in a state of panic. And when users panic, they fail to notice that they're being scammed.

Crooks want to steal victims' email passwords with a convincing-looking Zoom phishing page

Mind you, there isn't a whole lot to give away the fraud in this particular case. The email contains a button that promises to lead victims directly to the meeting, but as you might have guessed already, it redirects them to a Zoom phishing page.

It's really difficult to notice that the login form is fake. The phishers have done a good job of replicating the design of https://zoom.us, the video conferencing platform's website, and they've even installed an SSL certificate.

The only noticeable difference is that the text inside the password field says "Email Address Password" instead of "Password." This could make some users suspicious, which might leave you wondering why the crooks have gone through all the trouble of creating a convincing phishing page and are risking the whole operation by requesting the wrong password. When you think about it, however, you'll see that there is a good reason for this.

The fact of the matter is, the crooks can't do much with the victims' Zoom login credentials. Indeed, password reuse is still common, which means that the stolen usernames and passwords might open quite a few other accounts, but the phishers clearly thought that they're better off aiming straight for people's email credentials. Once the hackers have access to a user's inbox, they can reset many other passwords and leave the victims locked out of all their accounts.

The phishers are hoping that in the urgency to join the nonexistent Zoom meeting, the targets will fail to spot the discrepancy. How many will do that is difficult to say, but as the number of Zoom users continues to grow, the hackers' chances are getting better and better.

Why Zoom?

Although the victims' Zoom passwords might not be the ultimate goal, the video conferencing platform is instrumental in this scam, and this is no coincidence. The social distancing measures associated with the coronavirus pandemic locked many workers at home, and the demand for Zoom's services shot through the roof. Earlier this month, Zoom's executives admitted that the number of daily meeting participants had gone from 10 million in December 2019 all the way to 200 million in late-March, which means that there are many new users of the platform. These new users might not be aware of the fact that unless they're hosting the Zoom meeting, they don't need to log into their accounts in order to participate in it.

Some of them might not know that if you enable two-factor authentication at Zoom and at your email provider, you can turn the current phishing attack into a miserable failure.

April 29, 2020

Leave a Reply