Security researchers have discovered that thousands of Zoom user credentials are being sold on Dark Web hacker forums for less than a penny, with some being given away for free by cyber criminals.
Researchers at Singapore-based cyber security firm Cyble.io recently discovered that hundreds of thousands of Zoom accounts were being put up for sale on Dark Web forums. While a majority of Zoom accounts were being sold for less than a penny each, some hackers were giving away Zoom accounts for free to generate goodwill among other hackers on such forums.
The firm observed that cyber criminals were sharing detailed lists of stolen password combinations and email addresses with each other via text sharing sites. The compromised data also included accounts belonging to the University of Colorado, Vermont, Lafayette, Dartmouth and Florida amongst others and were given away for free.
The researchers told Bleeping Computer that compromised Zoom login credentials were gathered by hackers through credential stuffing attacks, where cyber criminals logged in to Zoom using previously compromised credentials. They compiled a list of successful log-ins to pass on the information to other cyber criminals.
To verify what they suspected, the researchers contacted hackers selling Zoom accounts on the Dark Web and succeeded in purchasing approximately 530,000 Zoom credentials for less than a penny each at $0.0020 per account. The purchased accounts included passwords, email addresses, personal meeting URLs, and HostKeys of Zoom users.
“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere. This kind of attack generally does not affect our large enterprise customers that use their own single sign-on systems,” Zoom said in response to Cyble’s findings.
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts,” the videoconferencing giant added.
Earlier this month, security researchers at Trend Micro also found that hackers have been trying to install malicious cryptocurrency files in the legitimate Zoom installer to infect devices. “We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites,” They said.
The researchers noted that the sudden rise in demand for conferencing solutions did not give service providers enough time to secure their applications and hackers are taking advantage of emerging security flaws.
“The sudden need to transition to a work-from-home setup left enterprises with little time to ramp up security measures to ensure that it fits the requirements demanded by remote work. It also exposes businesses to possible compromise due to threat actors abusing tools like video conferencing apps to propagate malware.
“Users are advised to only download installers from applications’ official websites to avoid such compromise. Users should also follow best practices for securing work-from-home setups. A multilayered protection approach is also recommended to effectively detect and block threats regardless of where they are in the system,” they added.