How Zoom is being exploited for phishing attacks
With so many of us depending on Zoom to work from home, cybercriminals are increasingly sending fake meeting invitations to dupe employees. Learn how easy it is to create a Zoom phishing email in this episode of Cyber Work Applied with Infosec Principal Security Researcher Keatron Evans.
Inside a Zoom phishing campaign
Since the start of COVID, millions of people have depended on Zoom for work-from-home meetings. In this episode of Cyber Work Applied, Keatron explains how threat actors are creating successful phishing campaigns by exploiting Zoom.
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
How Zoom phishing attacks work
The edited transcript of Keatron’s Zoom phishing attack walkthrough is provided below.
How threat actors leverage Zoom
(0:00- 0:18) Hi, I'm Keatron Evans. It's not a secret that one of the most popular tools to surface since COVID started is Zoom. In this video, I'm going to show you how threat actors are using its popularity in a very successful phishing campaign. Let's dive in.
Creating a Zoom phishing email
(0:19- 1:30) I recently talked to a CFO who is a victim of this attack, and she told me that on average, she receives about 15 Zoom meeting invites per day, which makes it difficult for her to think about not accepting one. Let me show you how it's done.
What I've done here is I've already set up a fake copy of the Zoom website using the Social-Engineer Toolkit (SET). And if you want to see how to do that, you can watch some of our other free videos on using SET.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
So what I'm going to do now is log into an email account and forward — or send a Zoom meeting invite to our unknowing victim here. I'm going to log into the Keatron Hacks Gmail account here.
Here's the Zoom meeting and I'm simply going to forward this Zoom meeting request to our victim. So there's our Zoom meeting there. Simple enough — looks just like a regular Zoom meeting.
Sending fake Zoom meeting to victim
(1:31- 2:14) I'm going to forward that meeting request to our intended victim, Bob Vance.
So we sent it to Bob Vance. Now we're going to be the victim. We're going to go to Bob Vance's computer and see what Bob Vance sees in his email.
What you see here is a typical Zoom meeting invite email. This is a meeting invite to Bob Vance, Vance Refrigeration, from Keatron Hacks. And it's just got the link here to the Zoom meeting.
Victim clicks on Zoom meeting phishing link
(2:15- 3:21) Now as soon as Bob clicks this link, watch what happens. Bob's going to click the link, and it appears not much is going on except the browser's turning, but let's go look at the attacker side.
Waiting over here, the attacker had a fake copy of Zoom, which actually loaded malicious code. And what you're seeing here is the attacker's view of what Bob got just from clicking on that link. So now as the attacker, I can simply jump into that session, take a screenshot to prove that we now own Bob's machine.
So think about that for a second. The only thing Bob did was open his email, click on that Zoom meeting invite like he does every single day when he has to go to the Zoom meetings, and as a result of that, the lowly attacker now has complete control of Bob's machine.
This is why you really need to be careful when you're blindly clicking on those Zoom meeting invites, make sure that it's from someone who you think it's supposed to be from. Hope you enjoyed that.
More cybersecurity training resources
Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free cybersecurity training resources. Check out the latest free courses and resources to keep learning!
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- How Zoom is being exploited for phishing attacks
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
