Zoom Phishing Attacks - Don't Get Caught On The Hook

The COVID-19 pandemic has forced a large number of the world’s population to practice social distancing and work from home. This means more of us are using various platforms in order to keep in touch with family, friends and keep up with work commitments remotely. Zoom screen sharing is one of the most popular ways to stay in contact, especially when it comes to the remote workforce.

“Zoom is used by over 60% of Fortune 500 companies and over 96% of the top 200 universities in the US. These organizations use the conferencing tool as a means of easily conducting remote meetings, complete with live audio and video feeds, as well as screen sharing and file transfers.”

Vulnerabilities Regarding Zoom’s Mac App

Zoom’s Mac app has been part of a security scandal recently where a security researcher published several privacy and security issues with the increasingly popular video conferencing software. One such issue allowed websites to turn on the webcam of a Mac user without their explicit consent or even knowledge.

Jonathan Leitschuh, a security engineer at open-source system Gradle “publicly disclosed details of how an attacker could set up a malicious call, trick users into clicking a link to join it, and instantly add their video feed, letting them look into a victim’s room, office, or wherever their webcam is pointing. In addition, Leitschuh found that attackers could also launch a denial of service attack against Macs by using the same mechanism to overwhelm them with join requests.”

This allowed any third party to drop into a call with attackers hijacking webcams.

“Without the user giving any explicit consent nor taking any explicit action, they would be instantly dropped into a Zoom meeting,” Leitschuh says of a malicious Zoom call attack. “By default, Zoom shows video but doesn’t send audio, though both settings are changeable. So depending on their video and audio settings, victims would potentially be immediately broadcasting themselves, perhaps even without their knowledge if they’re not looking at their screen.”

Leitschuh found that rather than making AJAX requests, the server was able to use the dimensions of an image from Zoom in order to handle error ad status codes. This approach allowed the bypassing of cross-origin resource sharing restrictions.  However, that isn’t the only security flaw Zoom has seen.

“This Zoom vulnerability is especially concerning and downright creepy because it doesn’t require a user to be on a Zoom call,” says Tenable’s David Wells. “The Zoom flaw I found last year would allow an attacker to invoke keystrokes on remote machines, even without being a meeting attendee. Combining both vulnerabilities in a targeted attack would be extremely dangerous.”

This isn’t the first vulnerability that has involved online cameras, but what does it mean for businesses in particular? With so many companies going remote, and Zoom having the ability to host tens of thousands of participants in one call, it would not be an issue for a cybercriminal to sneak into a Zoom call unannounced without the other users noticing.

“This is a very disturbing set of bugs, but unsurprising given other Zoom issues I’ve observed and reported in the past. The local web server is honestly the most concerning part, and it’s not fixed,” says Thomas Reed, a Mac research specialist at the security firm Malwarebytes. “The web server is concerning because of the possibility that someone could find a way to use it remotely to trigger remote code execution.”

Preventing Attackers Hijacking Webcams

Now, this particular issue was solved in August, with Zoom stating, “the privacy and security of Zoom’s users is our top priority—we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research and collaborating with us.”

If you are a new user, there are a number of things you should be aware of when it comes to Zoom calls. For example, should you look into the Zoom privacy policy you will find that Zoom allows your boss to track your attention during calls. It also has the ability to share copious amounts of data that it collects with third parties, and still has a major security weakness.

Firstly, Zoom knows if you are paying attention to the call. This is because whenever you host a Zoom call you have the option of activating the Zoom attendee attention tracking feature. It works by letting the call’s host know whenever a call’s participant doesn’t have either the Zoom Desktop Client or the Zoom mobile app in focus for any more than thirty seconds.

Basically, if you click away from Zoom whilst in a call, the host will know after half a minute. This includes actions like opening up your notes app, checking any emails or attempting to respond to a message on another app. It also only works if someone within the call is sharing their screen.

Obviously just because you’re not directly looking at the Zoom screen doesn’t mean you’re not paying attention or doing any work. It should also be noted that should your host decide to record the call, it can be replayed later.

Zoom saves a TXT file of your communications from your meeting and shares it with your boss. On the Zoom support page, you will see that the saved chat will only include messages from the host to all of the participants, however, it doesn’t really state what happens with direct messages between the other attendees within the call.

When it comes to personal privacy, you should know that Zoom not only tracks your attention but also tracks you too. Within its privacy policy, Zoom states that it collects a bunch of data about you such as your name, email address, phone number, physical address, employer, and job title. In fact, even if you don’t make a Zoom account, it will record and keep various data about your  IP address and what device you’re using.

If you use Facebook to log in to Zoom it will also record information from your Facebook profile such as any information you upload or create. The privacy policy does say that Zoom will not sell your personal data for money to any third parties, however, it will share personal data with third parties for business purposes. This includes passing your personal information to Google.

“We do not allow third parties to use any Personal Data obtained from us for their own purposes unless it is with your consent (e.g. when you download an app from the Marketplace). So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.

That said, Zoom does use certain standard advertising tools that require Personal Data (think, for example, Google Ads and Google Analytics). We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).

Sharing Personal Data with the third-party provider while using these tools may fall within the extremely broad definition of the “sale” of Personal Data under certain state laws because those companies might use Personal Data for their own business purposes, as well as Zoom’s purposes. For example, Google may use this data to improve its advertising services for all companies who use their services. (It is important to note advertising programs have historically operated in this manner.

It is only with the recent developments in data privacy laws that such activities fall within the definition of a “sale”). If you opt-out of “sale” of your info, your Personal Data that may have been used for these activities will no longer be shared with third parties.”

Zoom screen sharing might be growing in popularity, but new users should be aware that Zoom was the subject of a privacy complaint lodged by the Electronic Privacy Information Center (EPIC) just last year, claiming that  “Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”

For those of you that are requested to use Zoom for business or other purposes, there are some tips that you can follow in order to keep yourself safe.

1. Never log in with Facebook – while it might save you time, it is also poor security practice and will drastically increase the amount of personal information Zoom accesses.
2. Use two devices whilst in a call – when you’re on a Zoom call on your computer you should use your phone to check your emails or communicate with other attendees. That way the attention tracking alert will not be triggered.
3. Keep your Zoom app updated – this will ensure you have access to the latest security updates.

Conclusion

With the sudden spread of the coronavirus, there has been a surge in organizations, businesses, and universities that have turned to online conferencing tools to keep functioning. Zoom of the platforms that has gained the most popularity lately, but it also comes with a range of privacy issues that include monitoring of your computer activity as well as collecting personal data.

Just last year, cybersecurity professionals and experts attempted to contact Zoom in order to patch some serious vulnerabilities regarding Zoom’s Mac app. Unfortunately, the company lacked in providing both a timely and adequate response. This raises doubts as to whether Zoom is taking satisfactory measures in protecting user privacy.