Victim of Zoom Bombing? Stop the Trolls from Invading Your Video Conferences
Researchers at the Cyble cybersecurity company have discovered that more than 500,000 Zoom user credentials either for free or on sale on the Dark Web. The situation was first uncovered on April first, where half a million Zoom accounts were for sale at a price of $0.002 per account.
Zoom, a video conferencing platform is under criticism, especially now as a large number of the world’s population is working from home due to the spread of the COVID-19 pandemic. Information that has been compromised in this incident includes email addresses, passwords, and personal meeting URLs and host keys.
What is even more worrying is that many of the accounts were sold for next to nothing, while others were given away on hacker forums according to Cyble. This way, the accounts could be targeted for what is known as Zoombombing, the act of dropping into various Zoom calls and posting offensive or graphic content.
What’s Going On?
The most recent Zoombombing situations have seen online trolls screaming racist remarks in a meeting of women of color. Others have also included taunting individuals taking part in an Alcoholics Anonymous meeting, as well as projecting anti-Semitic slurs at a virtual synagogue.
According to Cyble, these accounts started to pop up on the Dark Web at the beginning of April, with the hackers wanting to boost their reputation amongst fellow hackers.
The accounts were shared via text sharing sites. Cyble bought around 530,000 Zoom accounts, saying that some of the accounts were those belonging to large companies such as Citibank and Chane, but also included around 290-college related accounts. It includes accounts from the University of Vermont, University of Florida, Dartmouth, Lafayette, and the University of Colorado.
How Did This Happen?
So, how exactly did this happen so suddenly? These Zoom accounts are not part of a traditional hacking attempt but have rather been obtained using what is known as credential stuffing.
This is when cybercriminals use previous data including usernames, email addresses or passwords in order to test them with Zoom accounts. Those credentials are compiled into lists and sold to the highest bidder.
Zoom has put out a statement saying that they have hired intelligence firms to try and uncover who has been affected and to reset passwords.
“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere.
This kind of attack generally does not affect our large enterprise customers that use their own single sign-on systems. We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials.
We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Any companies that have been affected by credential stuffing attacks such as this one are implored to use unique passwords for all websites where an account needs to be registered.
If you want to know whether your email address has been leaked in possible data breaches you can check on Have I Been Pwned and Cyble’s AmIBreached. These two services will list any data breaches that contain your email address.
While it is important to remember that Zoom hasn’t been hacked, it has been in similar situations. Recently, the company has been sued along with Facebook and LinkedIn as the two social media sites apparently recorded Zoom users’ calls in order to obtain information.
‘The lawsuit alleges that through Zoom’s iOS Login Feature – which would appear to a user as an option for “Login with Facebook” – Facebook could allegedly collect Zoom users’ information, even if the person did not use the login feature and did not even have a Facebook account, the lawsuit states.
“Facebook collected the personal information by willfully and intentionally using a recording device to record and eavesdrop on, and by otherwise reading, attempting to read and learning the contents and meaning of, communications between the participants’ computers and Defendant Zoom’s server,” according to the suit.’
Growing concerns about data mining also add to many concerns about Zoom’s business practices as many health providers, public schools, employers, and prime ministers using the platform due to COVID-19.
“An analysis by The New York Times found that when people signed in to a meeting, Zoom’s software automatically sent their names and email addresses to a company system is used to match them with their LinkedIn profiles.
The data-mining feature was available to Zoom users who subscribed to a LinkedIn service for sales prospecting, called LinkedIn Sales Navigator. Once a Zoom user enabled the feature, that person could quickly and covertly view LinkedIn profile data — like locations, employer names and job titles — for people in the Zoom meeting by clicking on a LinkedIn icon next to their names.”
What is Zoom Doing to Prevent Future Attacks?
Zoom has put in extra efforts in order to improve the privacy and security of the popular video conferencing platform. It was announced on April 8 that the company will amend its long-term focus in order to address the current privacy and security issues incorporated in a 90-day plan.
A CISO council has been formed by zoom in order to collaborate and share ideas on security and privacy issues.
“Starting April 18, account admins will have the ability to choose whether or not their data is routed through specific data center regions, giving users more control of their interactions with Zoom’s global network.”
There will also be a revival of the bug bounty program, led by the founder and CEO of Luta Security, Katie Moussouris.
“Zoom will be working with Luta Security to reboot our bug bounty program. Luta Security was founded by Katie Moussouris, who created some of the most important vulnerability programs still running today.
She started Microsoft Vulnerability Research and Symantec Vulnerability Research, and also started Microsoft’s and the Pentagon’s bug bounty programs. Luta Security will be assessing Zoom’s program holistically with a 90-day “get well” plan, which will cover all internal vulnerability handling processes.”
Perhaps the biggest highlight of Zoom’s upcoming improvements is the new Report a User feature. This will be added to the video conferencing platform and will be accessible through the newly implemented Security icon found on the bottom toolbar.
The new feature will make is much faster and easier to report any Zoombomber attacks, allowing for Zoom to block those users from accessing the platform altogether.
Zoom has taken their stance on security quite seriously, and since April 8 has enabled waiting rooms and meeting passwords, for all free, Basic and Pro users. Any K-12 Zoom users will have to enter a password in order to join.
There will also be a Security icon for hosts and co-hosts providing them with one-click access to a number of Zoom features. These include things like Enable the Waiting Room and Lock Meeting amongst others.
Starting April 10, complex passwords were introduced by default for cloud recording. These must be eight characters in length. Third-party sharing has also been enabled after a security review.
Zoom Bombing is Illegal and a Punishable Offense
Following the rise of Zoombombing attacks recently, the Department of Justice and Offices of the United States Attorney have warned that those taking part can be charged with both federal and state crimes.
Due to more people working remotely and practicing social distancing due to COVID-19, Zoom has become heavily used for corporate meetings, exercise classes, religious ceremonies, online classrooms, and social gatherings in general.
Zoom-bombing includes crashing those online meetings, recording them for pranks to be shared on social media platforms such as TikTok and YouTube, spread hate, threatening language, and offensive images.
In a press release posted on the Department of Justice website, it has been stated that these actions have been deemed illegal and are now federal and state crimes that are punishable by fines and even imprisonment.
“You think Zoom bombing is funny? Let’s see how funny it is after you get arrested,” stated Matthew Schneider, United States Attorney for Eastern Michigan. “If you interfere with a teleconference or public meeting in Michigan, you could have federal, state, or local law enforcement knocking at your door.
It is a shame that during a pandemic which is causing fear and anxiety across the globe that there are wrongdoers seeking to disrupt virtual environments which have become essential to communication, teleworking and online learning,” said Special Agent in Charge Steven M. D’Antuono. “While Michiganders are sheltering in place, it is important to practice good cyber hygiene. We encourage our communities to visit fbi.gov or ic3.gov to learn more about tips they can take to keep their devices secure.”
If any individual is found to be disrupting online meetings, charges can include: disrupting a public meeting, using a computer to commit a crime, fraud, hate crimes, computer intrusion, and transmitting threatening communications.
How to Secure Your Zoom Account
Now that you are aware of some of the privacy risks when using Zoom, these are the ways that you can secure your Zoom meetings.
Add a Password to all Meetings
Whenever you create a new Zoom meeting a setting to Require Meeting Password which requires a random password will be checked. Under no circumstances should you uncheck this option. If you do, it will allow anyone to gain access to the said meeting without needing your permission.
Use Waiting Rooms
Zoom lets the person creating the meeting, the host, to enable a waiting room feature. This prevents users from entering a meeting without being admitted by the host first.
The feature can be enabled when you are creating a new meeting. It is found in the advanced options. Make sure to check Enable Waiting Room and then click the Save button.
When this feature is enabled, all users that join a meeting are placed in the waiting room with the message, “please wait, the meeting host will let you in soon.”
The host of the meeting is then notified of anyone that joins the meeting. They can see who is waiting to join the meeting simply by clicking on the Manage Participants button which is located on the meeting toolbar.
Just by hovering your mouse over every waiting user, you can click on admit if you want them to join.
Keep Your Zoom Client Updated
Whenever you are prompted to update your Zoom client, you should.
As mentioned earlier, Zoom is introducing a number of new features and updates in the next few months, many of which focus on protecting your security and privacy.
With Zoom’s popularity skyrocketing recently, more cybercriminals will be attempting to find vulnerabilities. When you install the latest updates, you will be protected from any uncovered vulnerabilities.
Keep Your Meeting ID Private
Every Zoom user is given a permanent Personal Meeting ID (PMI). The PMI is associated with your account, so by giving away your PMI to other people, they always have the ability to see whether you’re in a meeting and possibly join it if there isn’t a password allocated.
Rather than sharing your PMI with others, create a new meeting every time and you can share with participants when it’s needed.
Lock Down the Meeting When all Users Have Joined
If everyone is accounted for in your meeting and you aren’t waiting on anyone else, it is our recommendation that you lock the meeting so that nobody else can join.
In order to do this, you need to click on the Manage Participants button, which is found on the Zoom toolbar. When there, select More, which is found on the bottom of the Participants pane. From there, you can select the Lock Meeting option.
Don’t Post Pictures of Your Zoom Meetings
If you ever take an image of your Zoom meeting, any user that sees it will be able to see the meeting ID. It can then be used by uninvited people to attempt to access the meeting.
In late March, UK Prime Minister tweeted a picture where he chaired the first-ever digital cabinet. In that picture, you can clearly see the meeting ID which could have been used by attackers attempting to gain access.
Be Careful of Zoom-Themed Malware
Since the COVID-19 outbreak, there has been a large increase in the number of phishing scams, malware, and other attacks related to the pandemic. Unfortunately, this also includes malware and adware installers that are fake Zoom client installers.
“During the past few weeks, we have witnessed a major increase in new domain registrations with names including “Zoom”, which is one of the most common video communication platforms used around the world. Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week. Out of these registered domains, 4% have been found to contain suspicious characteristics.”
To make sure you are safe from any malware or other possible attacks, be sure to only download the Zoom client directly from the Zoom.us website, and not from any other site.
Use a Password Manager
The average person has more than 150 accounts. In reality, that is far too many complex, unique passwords for any user to remember. Truth be told, most of us use terrible passwords, that are easily breakable such as loved one’s names, birthdays, favorite vacations, and so on.
By using a password manager, you don’t have to worry about losing or thinking or new, secure passwords each time. All great password managers will have a built-in generator which will allow you to create a powerful password and save it. You will also be able to enter your old passwords for your existing accounts and they will be checked for strength, as well as letting you know when you need to change your password in the event of a data breach.
Currently, using Zoom is probably inevitable for many of us, whether for professional purposes, school, fitness, or other necessary tasks. Skilled hackers of the world know this and are wreaking havoc by dropping into random Zoom calls uninvited.
Zoombombing has now been deemed illegal and is a punishable offense. Still, it is vital for you to know how to behave in order to keep your security and privacy intact while using this video conferencing platform. Follow the steps mentioned above, and you shouldn’t any trouble with future Zoom meetings.