With many businesses and educational institutions increasingly relying on remote meetings during the COVID-19 outbreak, recent weeks have seen a significant push among hackers and other threat actors to exploit video-conferencing software to steal information, disrupt calls, and harass users.
At the heart of many of these threats is the Zoom video-conferencing service. This is unsurprising, as the platform has seen its popularity explode from a maximum of roughly 10 million daily users in late 2019 to more than 200 million individuals per day in March 2020. However, recent security concerns have led many organizations to urge employees and students to instead use alternative video solutions.
But there is a broader problem at play here: the role of the dark web in the sale and transmission of sensitive information such as video-conferencing credentials.
As the use of video-conferencing software has skyrocketed, we at Cybersixgill have seen it become a major topic of discussion within underground forums on the dark web. Although we saw little change between December 2019 and February 2020, in March we saw a 63% increase in mentions of video-conferencing platforms on underground forums as compared to February.
To shed light on this trend, we have compiled a detailed report on the latest dark-web activity putting users of video-conferencing software at risk. The report analyzes recent discussions of video-conferencing platforms on dark-web forums, examining both broad statistical trends and specific examples of messages posted within these forums. In addition, it offers best practices for safely participating in online video meetings.
Among the report’s key findings: On April 1, we discovered a link to 352 sets of leaked Zoom account details posted on the dark web – including names, email addresses, passwords, account types, meeting links, meeting IDs, and host keys. Later the same day, we discovered a link to 509 sets of Zoom account credentials posted by the same user.
Additionally, two days later, we discovered that a similar but larger collection was being offered on the dark web, including 802 sets of Zoom account details.
In all three cases, we saw that the vast majority of compromised accounts were linked to private email addresses, while fewer accounts used email addresses associated with businesses or educational institutions.
What do threat actors aim to do with video-conferencing software?
As our latest report shows, some of the mentions of video-conferencing software that we have recently found within underground forums suggested that threat actors were aiming to engage in “Zoombombing” – joining a video meeting specifically to disrupt it with profane, pornographic, or xenophobic messages or content, simply for the “fun” of it.
But other messages we uncovered within underground forums seemed to point to more ambitious goals. For example, our report highlights one posted message asking whether it is possible to hack users’ webcams and screens within Google Classroom, as well as another asking whether it’s possible to capture the IP address of a Zoom call’s host.
A threat actor seeks information with the aim of taking control of others’ webcams and screens within Google Classroom.
A threat actor seeks information with the aim of obtaining the IP address of the host of a video meeting on Zoom. Notably, not all mentions of video-conferencing programs that we have found on the dark web seemed to indicate malicious intent. There were cases in which threat actors simply posted advice or links to relevant educational resources, with no obvious ulterior motive.
But for those communicating on the dark web for nefarious purposes, stolen video-conferencing credentials can be a powerful tool. While some may simply look to troll other users, leaked account details could enable a threat actor to join a video call uninvited as part of a scheme to make money at the expense of the call’s participants. For example, sensitive information from a video call could be used to facilitate phishing attacks, to impersonate a specific individual, or to leak information publicly in order to cause reputational damage.
This creates an especially risky situation during the coronavirus outbreak, both because many users of video-conferencing programs are not yet familiar with best practices for using this software safely and because many professionals working from home have a lower level of security than they would at their workplaces.
Given the opportunistic nature of cybercrime, it is no surprise that video-conferencing software has become a major focus of those looking to exchange information on the dark web. Still, the findings covered in our latest report underscore the importance of both understanding the threats facing users of video-conferencing software and taking specific steps to minimize those threats.
Zoom says that it is taking users’ concerns seriously and investing resources in improving its security. Meanwhile, individual users of video-conferencing software can take steps to protect themselves online, such as taking advantage of privacy settings and other security features.
But the broader problems here will not be as easy to solve, especially the incentives driving the nefarious activities that we see within underground forums. The motivation of threat actors to steal, buy, sell, and share video-conferencing account details and other sensitive information remains strong, and the dark web continues to provide these individuals with a fast, convenient, and discreet way to transmit information.
In short, as long as video conferencing is common, it seems that threat actors will keep trying to exploit it in order to target both businesses and private individuals – a goal made easier by the anonymity of the dark web.
For a closer look at how the dark web puts users of video-conferencing software at risk – and for best practices to mitigate this threat – download Cybersixgill's full report Zooming in on Zoom: Discourse on Video Conferencing Applications in the Underground.