Researchers have found a database of Zoom video conferencing credentials ranging from just an email and password to also include meeting IDs, names and host keys. Full credentials could be used a range of activities from zoombombing to BEC attacks.
The database was discovered by IntSights in a dark web forum. It is not a large database. It contains just 2,300 records — too small to suggest an unknown data breach of Zoom itself, but too large to suggest a random collection of details found online. Nevertheless, the latter is possible because Zoom users are remarkably lax about protecting the details — and of course it could be just a small subset of a larger collection of credentials not made available to others.
On March 27, 2020, the UK Prime Minister (Boris Johnson) tweeted— with screenshot — that he had just held the first ever digital Cabinet meeting of the UK government. The screenshot displayed the ‘Zoom Meeting ID: 539-544-323‘. Johnson probably thought that this was safe because the meeting had finished; but Zoom calling it a ‘meeting ID’ is somewhat confusing. It is not this meeting; it is all meetings held by the account holder.
Adding this ID number to a usually easily guessable URL is the first step in gaining access to any and all current conferences held by that account. The URL is either the basic Zoom URL (https: // zoom . us / j /), or this URL with a company name inserted. Thus, ‘zoom [companyname] . us/j/ [account/ID number]’ is the URL for every Zoom videoconference held by the account owner. One would hope that the NCSC has instructed Mr. Johnson (or whoever holds the account used for the Cabinet meeting) to cancel that account and create a new one with a different ID number.
However, having these details doesn’t simply open the possibility of nuisance zoombombing on a conference. Additional access to an ID (usually just an email address) and password would allow a criminal to open the account and start a new videoconference in the account holder’s name — and that creates a whole new set of risks.
In some cases, the database found by IntSights contains only partial details — in other cases it contains a full set of details, including the PIN code into all open sessions. With access to the URL, the ID number and the PIN code, that attacker could both enter a videoconference and take it over — including removing attendees for fun.
These credentials available in the database range from personal accounts to corporate accounts for banks, consultancy companies, educational facilities, healthcare providers, and software vendors.
The simple ID and password access into Zoom accounts suggests a possible collection method for the details on sale: credential stuffing. With so many email addresses and passwords available on the dark web and the common practice of reusing passwords across multiple accounts. a credential stuffing campaign could have been used to gain initial entry into Zoom accounts, from where the criminal could see what else he could find.
“What was interesting to me,” Etay Maor, CSO at IntSights told SecurityWeek, “was some of the discussions that followed the database being offered on the dark web. They were around how to automate attacks against Zoom. What’s happening is the use of ‘Zoom checkers’.” A checker is a concept from bank card fraud, where a micro payment is made against stolen card credentials to check that the account is live and valid. “It looks like they’re building and adapting different tools to check and automate the discovery of valid accounts behind usernames and passwords.”
One such tool is already freely available on GitHub: OpenBullet. This doesn’t merely test email and password against the Zoom login page, but where it succeeds it attempts to harvest other data such as the ID number and PIN code (both of which are constant).
The potential threat isn’t simply zoombombing. “If the criminal has a large number of accounts, a bit of OSINT on the email address — using LinkedIn, for example — could locate any high value account holders, such as CEOs. LinkedIn could also locate the company’s finance officer, and using the same structure as the CEO’s email address, the attacker could probably guess the CFO’s email address.”
The attacker, with access to the CEO’s Zoom account, could email the CFO and say, “I need to talk to you. Hop on Zoom will you.” From there it’s just the standard social engineering that criminals have perfected — possibly blurring the voice with added noise, making the video difficult to see, using Zoom by phone, etcetera. It now becomes a new BEC opportunity. Losing your Zoom credentials doesn’t just open your videoconferences to nuisance calls, in this time of working from home, it opens your company to a new BEC threat vector.
In making Zoom easy to use by customers, the platform has become easy to abuse by criminals.