Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zoom Credentials Database Available on Dark Web

Researchers have found a database of Zoom video conferencing credentials ranging from just an email and password to also include meeting IDs, names and host keys. Full credentials could be used a range of activities from zoombombing to BEC attacks.

Researchers have found a database of Zoom video conferencing credentials ranging from just an email and password to also include meeting IDs, names and host keys. Full credentials could be used a range of activities from zoombombing to BEC attacks.

The database was discovered by IntSights in a dark web forum. It is not a large database. It contains just 2,300 records — too small to suggest an unknown data breach of Zoom itself, but too large to suggest a random collection of details found online. Nevertheless, the latter is possible because Zoom users are remarkably lax about protecting the details — and of course it could be just a small subset of a larger collection of credentials not made available to others.

On March 27, 2020, the UK Prime Minister (Boris Johnson) tweeted— with screenshot — that he had just held the first ever digital Cabinet meeting of the UK government. The screenshot displayed the ‘Zoom Meeting ID: 539-544-323‘. Johnson probably thought that this was safe because the meeting had finished; but Zoom calling it a ‘meeting ID’ is somewhat confusing. It is not this meeting; it is all meetings held by the account holder.

Adding this ID number to a usually easily guessable URL is the first step in gaining access to any and all current conferences held by that account. The URL is either the basic Zoom URL (https: // zoom . us / j /), or this URL with a company name inserted. Thus, ‘zoom [companyname] . us/j/ [account/ID number]’ is the URL for every Zoom videoconference held by the account owner. One would hope that the NCSC has instructed Mr. Johnson (or whoever holds the account used for the Cabinet meeting) to cancel that account and create a new one with a different ID number.

However, having these details doesn’t simply open the possibility of nuisance zoombombing on a conference. Additional access to an ID (usually just an email address) and password would allow a criminal to open the account and start a new videoconference in the account holder’s name — and that creates a whole new set of risks. 

In some cases, the database found by IntSights contains only partial details — in other cases it contains a full set of details, including the PIN code into all open sessions. With access to the URL, the ID number and the PIN code, that attacker could both enter a videoconference and take it over — including removing attendees for fun.

These credentials available in the database range from personal accounts to corporate accounts for banks, consultancy companies, educational facilities, healthcare providers, and software vendors.

The simple ID and password access into Zoom accounts suggests a possible collection method for the details on sale: credential stuffing. With so many email addresses and passwords available on the dark web and the common practice of reusing passwords across multiple accounts. a credential stuffing campaign could have been used to gain initial entry into Zoom accounts, from where the criminal could see what else he could find.

Advertisement. Scroll to continue reading.

“What was interesting to me,” Etay Maor, CSO at IntSights told SecurityWeek, “was some of the discussions that followed the database being offered on the dark web. They were around how to automate attacks against Zoom. What’s happening is the use of ‘Zoom checkers’.” A checker is a concept from bank card fraud, where a micro payment is made against stolen card credentials to check that the account is live and valid. “It looks like they’re building and adapting different tools to check and automate the discovery of valid accounts behind usernames and passwords.”

One such tool is already freely available on GitHub: OpenBullet. This doesn’t merely test email and password against the Zoom login page, but where it succeeds it attempts to harvest other data such as the ID number and PIN code (both of which are constant).

The potential threat isn’t simply zoombombing. “If the criminal has a large number of accounts, a bit of OSINT on the email address — using LinkedIn, for example — could locate any high value account holders, such as CEOs. LinkedIn could also locate the company’s finance officer, and using the same structure as the CEO’s email address, the attacker could probably guess the CFO’s email address.”

The attacker, with access to the CEO’s Zoom account, could email the CFO and say, “I need to talk to you. Hop on Zoom will you.” From there it’s just the standard social engineering that criminals have perfected — possibly blurring the voice with added noise, making the video difficult to see, using Zoom by phone, etcetera. It now becomes a new BEC opportunity. Losing your Zoom credentials doesn’t just open your videoconferences to nuisance calls, in this time of working from home, it opens your company to a new BEC threat vector.

In making Zoom easy to use by customers, the platform has become easy to abuse by criminals.

Related: Zoom Working on Security Improvements Amid More Bans 

Related: Keys Used to Encrypt Zoom Meetings Sent to China: Researchers 

Related: Vulnerability Allowed Attackers to Join Zoom Meetings 

Related: Zoom Vulnerabilities Expose Users to Spying, Other Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.