Yesterday AbnormalSecurity reported a phishing site that cybercriminals designed to capture Zoom and company login credentials. We visited this site, so you don’t have to. The phishing attempt starts off when the victim receives an email about a Zoom meeting starting soon. You can see a copy of this email here provided by AbnormalSecurity. In the email, the meeting purpose includes termination of employment. The email also provides a link to the phishing site, not Zoom. If the victim falls for the scam and clicks the link the phishing site asks for their zoom credentials. While the phishing site looks identical to the official zoom login page, the phishing site creators added one addition to steal the victims work credentials if they don’t have a zoom login. Above the login it says “Zoom now allows you to join and host meetings without signing up. Simply continue with your organization email login to proceed.”
At this point all links on the phishing site lead to Zooms official site except for the login button. Any email and password the victim enters will lead to a login error, but this isn’t the end of the phish. The login information entered sends the credentials to the phishing site using this message.
enayeu=notanemail%40example.com&tspika=HiddenPass&fendi=&keep_me_signin=on&ZOOM-CSRFTOKEN=8YPC-CQEW-UYPB-EIDR-IYSR-DN95-35SX-FR67
We had to de-obfuscate or decode much of the phishing site code to understand it, but you can clearly see the fake email “notanemail%40example.com” (%40 is the HTML encoded @ symbol) and password “HiddenPass” I used in the message to the phishing site server. You’ll also see the token at the end of the message “8YPC-CQEW-UYPB-EIDR-IYSR-DN95-35SX-FR67”. We believe they used this to work around two-factor authentication. Fortunately, it looks like Zoom disabled this token, so it no longer works. For this reason, the first login attempt failed. If you try logging in again the phishing page sends your credentials again to its own servers then sends you to the Zoom support page.
With the new popularity of Zoom, many may confuse a legitimate email from Zoom with a fake one. You can spot the fake ones if you look out for unexpected emails and check links in the email by hovering over them. If anything seems off, check with the person sending the email directly, which in the case of this example would be HR. Also using a DNS-based malware detection like DNSWatch can help block known phishing sites. WatchGuard customers are already protected as DNSWatch blocks access to this site, and many other phishing sites, by intercepting domain name lookups when a user clicks on a potentially dangerous link.