Zoom recently has become very popular as a video-conferencing solution for people in the Coronavirus lockdown. However, the rise is user base has apparently also made the app more vulnerable and lucrative to hackers. According to a recent report by Bleeping Computer, over 500 thousand Zoom accounts are being sold on the dark web. Moreover, some of these accounts are also given away for less than a penny, or worse, for free. Also Read - How to use Zoom for video conferencing and virtual meetings
These hacked Zoom credentials are gathered via credential stuffing attacks on unaware users. Here, threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into new lists that are sold to other hackers. Also Read - Google bans Zoom for all its employees because it does not meet 'security standards'
Watch: 5 ways to make your Android phone faster
Some of these then proceed to be offered for free on hacker forums. This enables hackers to use them in Zoom-bombing pranks and other malicious activities. Other accounts are sold for less than a penny each. As per Cyble, a cybersecurity intelligence firm, multiple Zoom accounts began to show up on hacker forums to gain an increased reputation in the hacking community. Also Read - Virtual Games to play on ZOOM during Coronavirus Lockdown
Then these accounts are simply shared via text-sharing websites where the threat-actors are posting lists targeted victims. The list contains the Email Ids and the passwords of those who have been hacked. The publication contacted some randomly selected Email IDs in the list, confirming that some of the credentials were correct. A user also mentioned that his leaked password was actually an older one. This shows that the credentials are likely from older credential-stuffing attacks.
The security agency went on to ‘purchase’ a large number of such accounts in bulk. This allowed them to warn these users of the risks. The purchase of about 5,30,000 zoom credentials was averaged at about USD 0.002 (about Rs 0.15) per account. The purchased accounts include a victim’s email address, password, personal meeting URL, and their HostKey.