• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Don’t “Zoom” Through This Phishing Attempt

April 22, 2020 By Trevor Collins

Yesterday AbnormalSecurity reported a phishing site that cybercriminals designed to capture Zoom and company login credentials. We visited this site, so you don’t have to. The phishing attempt starts off when the victim receives an email about a Zoom meeting starting soon. You can see a copy of this email here provided by AbnormalSecurity. In the email, the meeting purpose includes termination of employment. The email also provides a link to the phishing site, not Zoom. If the victim falls for the scam and clicks the link the phishing site asks for their zoom credentials. While the phishing site looks identical to the official zoom login page, the phishing site creators added one addition to steal the victims work credentials if they don’t have a zoom login. Above the login it says “Zoom now allows you to join and host meetings without signing up. Simply continue with your organization email login to proceed.”

At this point all links on the phishing site lead to Zooms official site except for the login button. Any email and password the victim enters will lead to a login error, but this isn’t the end of the phish. The login information entered sends the credentials to the phishing site using this message.

enayeu=notanemail%40example.com&tspika=HiddenPass&fendi=&keep_me_signin=on&ZOOM-CSRFTOKEN=8YPC-CQEW-UYPB-EIDR-IYSR-DN95-35SX-FR67

We had to de-obfuscate or decode much of the phishing site code to understand it, but you can clearly see the fake email “notanemail%40example.com” (%40 is the HTML encoded @ symbol) and password “HiddenPass” I used in the message to the phishing site server. You’ll also see the token at the end of the message “8YPC-CQEW-UYPB-EIDR-IYSR-DN95-35SX-FR67”. We believe they used this to work around two-factor authentication. Fortunately, it looks like Zoom disabled this token, so it no longer works. For this reason, the first login attempt failed. If you try logging in again the phishing page sends your credentials again to its own servers then sends you to the Zoom support page.

With the new popularity of Zoom, many may confuse a legitimate email from Zoom with a fake one. You can spot the fake ones if you look out for unexpected emails and check links in the email by hovering over them. If anything seems off, check with the person sending the email directly, which in the case of this example would be HR. Also using a DNS-based malware detection like DNSWatch can help block known phishing sites. WatchGuard customers are already protected as DNSWatch blocks access to this site, and many other phishing sites, by intercepting domain name lookups when a user clicks on a potentially dangerous link.

 

Share This:

Related

Filed Under: Editorial Articles Tagged With: remote work

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use