Getty Images/iStockphoto

New COVID-19 Phishing Campaigns Target Zoom, Skype User Credentials

Researchers have discovered two new phishing campaigns targeting user credentials for both Skype and Zoom, amid the spike in remote work tied to the COVID-19 pandemic.

Hackers are again taking aim at the increased number of remote workers during the COVID-19 pandemic through two new phishing campaigns: one attack method targets Skype credentials, while the other leverages fake Zoom videoconferencing meeting notifications.

The reports come following an FBI alert that warned cybercriminals are targeting the US healthcare sector with COVID-19 phishing attacks.

First, Cofense researchers discovered hackers are spoofing Skype amid the spike in remote work. The phishing emails evaded detection in accounts protected by Microsoft 365 EOP and Proofpoint, making it to the users’ inboxes.

“With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to [Cofense] Phishing Defense Center,” researchers explained.

“For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address,” they continued.

Though the sender address appears legitimate at first, the user can see the real sender address within the return-path display as “sent from”: researchers note this is really an external, compromised account.

The hackers are exploiting the compromised account to send more phishing campaigns disguised as messages from a trusted sender.

Researchers explained the threat actors are bank on urgency and curiosity, as many users may review unexpected notifications from the platforms their companies are leveraging for remote work during the Coronavirus crisis.

If a user clicks the malicious link, they’re shown an impersonated Skype login page that includes the recipient’s company logo on the login box and a disclaimer warning the page is for “authorized use.”

“The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor,” researchers explained.

The phishing campaign is hosted by an “.app top level domain,” which allows app developers to securely share their apps through a required HTTPS. Users know to look for an HTTPs for a secure connection. But as the phishing attacks are hosted on this platform, users may not detect that it’s actually a malicious site.

The use of HTTPs for phishing campaigns is not new. The FBI first warned hackers were leveraging “secure” websites to trick users in 2019, telling organizations hackers were “more frequently incorporating website certificates – third-party verification that a site is secure – when they send potential victims emails that imitate trustworthy companies or email contacts.”

But hackers are also leveraging this type of campaign to target Zoom users, as well. Abnormal Security researchers detected phishing attacks posing as Zoom meeting notifications. The email requests the user join a meeting about their job termination, asking users to first log into a fake Zoom page that will actually steal their credentials.

The attack has been seen in more than 50,000 email inboxes, hosted by the Office365 platform. The phishing campaign primarily targets employees in hopes of taking advantage of the spike in remote work.

Much like the Skype campaign, these phishing attacks leverage impersonation: disguising the malicious emails as authentic Zoom email meeting notifications and banking on urgency to trick victims into clicking the link.

The malicious landing page appears to be a legitimate “carbon copy” of a Zoom login page. Upon further inspection the only functioning feature of the page are the login fields used by the hackers to steal credentials.

Researchers stressed that most users would be “hard-pressed to understand” that the site was indeed malicious and not a legitimate Zoom page. Even frequent Zoom users might look at the login page, believe their session had expired, and attempt to sign in again.

“The email masquerades as an automated notification for an important meeting with HR regarding the recipient’s termination,” researchers explained. “The email contains a link to a fake Zoom login page hosted on ‘zoom-emergency.myftp.org.’ Links to the phishing page are hidden in text used in automated meeting notifications.”

“The email masquerades as a reminder that the recipient has a meeting with HR regarding their termination. When the victim reads the email they will panic, click on the phishing link, and hurriedly attempt to log into this fake meeting,” they continued. “Should recipients fall victim to this attack, login credentials as well as any other information stored on Zoom will be compromised.”

Zoom has remained a prime target for hackers throughout the pandemic, with the company itself facing backlash for multiple privacy issues, such as Zoombombing and other hacking efforts. In response, the videoconferencing platform has put its software development on hold and partnered with private sector stakeholders to improve the security of its platform.

The American Medical Association and American Hospital Association recently released telework guidance for the healthcare sector to help providers bolster their security and reduce some of these vulnerabilities.

Next Steps

Dig Deeper on Cybersecurity strategies