The latest in Zoom’s seemingly never-ending string of security issues is about half a million user accounts that have come up for sale on a dark web forum. These Zoom accounts appear to have been collected via credential stuffing, using username and password combinations that were obtained in past breaches of other companies.
It’s to be expected that among the millions of users that have flocked to Zoom in the past two months will be some that re-use credentials that have been breached in other attacks, perhaps unbeknownst to them. However, the sheer number of Zoom accounts that were compromised in this way indicates that the video conferencing service has not been checking registered usernames and passwords against lists of known breached account credentials.
Zoom accounts for sale or rent, as low as $0.0020 cents
Cybersecurity firm Cyble discovered at least 530,000 Zoom accounts listed for sale on dark web hacker forums. The firm verified that the accounts are legitimate; each contains the username and password as well as registered email address, host key, and personal meeting URL. This gives a malicious actor access to not just the account, but to the contents of any meetings it might have either hosted or been a party to. So, in terms of private or confidential information leaking out, the total number of impacted parties is probably far greater than the number of accounts for sale.
Cyble combed through the list of available accounts and found that some belong to employees of Chase Bank and Citibank as well as a number of universities around the world.
Apparently aware that anyone else could use breached credential lists to do the same thing, the hackers are not asking a king’s ransom for these accounts. In most cases, they are asking a very modest convenience fee of as low as $0.0020 per account for access. Some were given away for free as apparent samples. Many of the compromised university accounts were offered as free samples, meaning that the contents of numerous classroom meetings are likely now exposed.
Zoom responded that it had hired “multiple intelligence firms” to investigate the credential stuffing incident and that it is “implementing additional technology solutions.” Additionally, the company is asking owners of breached accounts to change their passwords. It’s unclear who put the Zoom accounts up for sale, but Cyble indicated that they spoke Russian.
A predictable credential stuffing attack
Given that Zoom has added so many users in such a short period, a credential stuffing attack on the service was entirely predictable and should have been expected. This is not a breach of Zoom’s internal security, but it can still be regarded as another security failing by the company.
Credential stuffing attacks are more sophisticated than a basic “brute force” approach of trying lists of username and password possibilities with an automated script. The fact that over half a million valid logins were found indicates that Zoom did not have adequate preventive measures in place. Emmanuel Schalit, Cofounder & CEO at Dashlane, provides a succinct description of the process: “Credential stuffing attacks work by choosing a target site and analyzing the site’s login sequence and processes. Then, a hacker can either create an automated script or use a configurable credential stuffing software to systematically test if the stolen credentials successfully login to the target site. To mask their activity, the hacker will rent botnets—networks of computers controlled by hackers using malware—or a list of proxy IP addresses to make it appear as if login attempts were coming from real users on various computers. Eventually, the hacker will be successful on some sites with some credentials and he is able to take over those accounts and successfully steal assets.”
Companies that deal in the volume of users that Zoom now does usually have several measures in place to prevent credential stuffing attacks at the user end. One is to check the usernames or email addresses and passwords of newly created accounts against lists of known breached credentials; the user is prompted to choose a new password if they enter one that has already been breached. End users are able to do this for themselves by using free services such as Have I Been Pwned or Cyble’s own AmIBreached.
Another option to defeat credential stuffing is to simply require some measure of two-factor authentication (2FA), such as a login code delivered by text message or email. Up until recently Zoom was not requiring users to even implement a meeting password by default, indicating that security was not a priority for the platform until breaches started generating a landslide of bad PR.
The negative consequences of this credential stuffing attack range beyond each of the individual Zoom accounts. The hacker that takes control of the account can now impersonate that person, launch new meetings or eavesdrop on other meetings the account has access to. Zoom meetings allow for the sharing of documents and files, and text messages between participants are also usually logged — attackers could have access to all of these things from previous meetings. And they might also send malware files or documents with malicious macros to the account’s contacts to create a chain of data breaches.
The loss of these Zoom accounts will be yet another obstacle in convincing businesses, the platform’s primary customer base prior to the coronavirus lockdowns, to stick around after the pandemic subsides. School use of the platform will likely drop off a cliff once face-to-face classes are cleared to resume, which looks likely to happen sometime in the fall as the new academic year begins.
Zoom accounts are not the only thing receiving heightened attention during the pandemic, however, and credential stuffing is not the only attack type to be more vigilant for. Competitors such as Cisco’s WebEx are also seeing a smaller but significant uptick in business, and one that may ramp up in the coming weeks if Zoom continues to stumble. The Cofense Phishing Defense Center has recently uncovered a sophisticated phishing operation that targets WebEx users, and Microsoft’s Detection and Response Team is reporting a great deal of new attention from sophisticated hackers (including state-backed groups) as more users adopt Microsoft Teams. The FBI also put out an advisory in March about an increase in business email compromise attempts on G Suite and Microsoft Office users.
While any service deserves to be taken to task for security lapses, end users can take precautions to protect themselves from credential stuffing attacks by using strong passwords, setting a different password for every account and enabling two-factor authentication.
