Cybercriminals are using spoofed messages and images from Zoom and Cisco WebEx as lures in new phishing campaigns that are designed to steal credentials or distribute malware, according to the security firm Proofpoint.

These new campaigns, which started in late March, are attempting to take advantage of employees working from home during the COVID-19 pandemic, where they’re relying more heavily on video conferencing technologies, according to the new Proofpoint report.

Cybercriminals are using phishing emails to entice at-home workers to enter their credentials into fake landing pages designed to spoof the webpages of Zoom and WebEx. Those passwords and usernames are then harvested by the attackers, according to Proofpoint.

“Threat actors are carefully following the coronavirus news cycle and aligning their social engineering-based attacks to those themes,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, tells Information Security Media Group. “As the pandemic and work-from-home orders continue, we can expect that the volume of these types of lures will only continue to increase.”

Targeting Credentials

Since March 27, Proofpoint researchers have observed five ongoing phishing campaigns using spoofed landing pages designed to look like Zoom’s sites and two campaigns spoofing WebEx, DeGrippo says.

These campaigns are targeting employees in a wide range of U.S. business sectors, including technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government and manufacturing, according to the report.

In one of the campaigns spoofing WebEx, the phishing attacks are carried out from addresses such as “cisco@webex[.]com” and “meetings@webex[.]com,” which have subject lines such as “Critical Update!” or “Your account access will be limited in 24h.” The messages are designed to entice recipients to click on links embedded in the message.

These emails claim that victims need to update their WebEx accounts to fix a security vulnerability listed as CVE-2016-9923, which is a legitimate software flaw. The phishing email then guides targeted users to a link that leads to a spoofed landing page, which then asks them to input their credentials, according to the report.

Phishing campaign spoofing Cisco WebEx (Source: Proofpoint)

In another campaign, cybercriminals have tried to steal Zoom account credentials by sending fake emails that welcome users to the Zoom platform and then ask them to click on an embedded link to activate their accounts, according to the report. And in yet another phishing effort, hackers send emails claiming that the recipient missed a Zoom meeting and can check their missed conference by clicking on a link, which takes them to a spoofed Zoom page that asks for their credentials.

Installing Malware

In one of the Zoom-themed campaigns, the cybercriminals attempt to install malware on victims’ devices by claiming that a company supplier is attempting to contact them about a proposal. These emails contain subject lines such as “[Company] Meeting cancelled – Could we do a Zoom call.”

These phishing emails contain an attached Microsoft Excel file portrayed as containing information about the proposal. The file actually is laced with malicious macros and, if opened, installs two remote access Trojans – ServLoader and NetSupport – that can give attackers control over an infected device and enable them to move to other parts of the network. The campaign targeted companies in the energy, manufacturing, marketing/advertising, technology, IT and construction fields, according to Proofpoint.

Phishing email containing malicious attachment (Source: Proofpoint)

Other Campaigns

Other researchers note that numerous malicious campaigns using COVID-19 themes are continuing.

For example, earlier this month, Palo Alto Networks’ Unit 42 division uncovered two phishing campaigns that targeted healthcare organizations, research facilities and government agencies

Originally Publish at: