Zoom Bombing – Uninvited Guests are Joining Your Video Conference
During the COVID-19 pandemic, many companies, schools, and other organizations have migrated personnel and students to remote work and education. This led to a surge in usage of video conferencing tools such as Zoom. Zoom is a popular video conferencing platform that is used to conduct online meetings, classes, and virtual meetups. It is available for computers as well as mobile devices. Many organizations and individuals now rely on Zoom and other platforms on a daily basis.
At the same time, a new wave of cybercrime has emerged. Zoom and other video conferencing tools have recently become targets of many cybercriminals and internet trolls, who are taking advantage of the surge in Zoom users to cause chaos as well as compromise users and organizations. Zoom users such as schools and businesses alike are being targeted in these ongoing attacks. Tools are emerging on underground cybercriminal forums for validating stolen Zoom credentials and capturing data from compromised accounts.
On online message boards, Internet trolls and other actors have been organizing operations to disrupt Zoom. While the majority of these attacks are simply for the entertainment of the attackers, companies, and organizations should be conscious of the fact that sensitive information may be at risk of compromise during video conference meetings. Taking the necessary precautions and securing Zoom meetings should be a high priority during these times.
Targeting Zoom Accounts
Online underground marketplaces and cracking forums commonly host tools and configuration files used to generate stolen credentials for various websites and online services. A popular tactic with cybercriminals is called credential stuffing, which involves the use of automated tools to generate large-scale login requests directed against a specific web application with lists of stolen account credentials.
Credential stuffing attacks targeting Zoom accounts are on the rise. For example, on April 1st, 2020 a threat actor on a popular underground cracking forum posted a configuration for the credential stuffing tool OpenBullet that checks the validity of Zoom credentials. The user posted a brief description of the configuration file as well as a screenshot and download links.
Over the past few days, we have also observed an increase in the number of compromised Zoom account credentials posted on underground forums. Most are sharing these accounts free of charge. The ensuing discussions primarily center on trolling meetings and ‘Zoom Bombing’ online classrooms.
Video Conference Hijacking
Internet trolls and other rogue actors have organized to cause chaos in Zoom meetings, engaging in disruptive activity such as sharing explicit or inappropriate content, taunting meeting participants, and other interruptions. Schools have been targeted as students often publicly post-meeting IDs and passwords or even the direct Zoom links for their online courses. However, it is important for corporations to consider that rogue actors may be interested in more than just trolling or causing disruption – they may be after sensitive corporate information and corporate espionage. This activity has now been coined “Zoom Bombing”, and a public statement has been made by the FBI regarding teleconferencing and online classroom hijacking.
Simple security practices can be implemented to reduce the risk of falling victim to video conference hijacking. Organizations should educate their employees on the risks of exposing meeting links and IDs, as well as implementing strong password policies. In its statement, the FBI shared the following recommendations:
• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
• Manage screen sharing options. In Zoom, change screen sharing to “Host-Only.”
• Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated its software, added passwords by default for meetings, and disabled the ability to randomly scan for meetings to join.
Additionally, on the official Zoom website users can find resources and suggestions related to meeting security.