Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Zoom Credentials Database Available on Dark Web

Researchers have found a database of Zoom video conferencing credentials ranging from just an email and password to also include meeting IDs, names and host keys. Full credentials could be used a range of activities from zoombombing to BEC attacks.

Researchers have found a database of Zoom video conferencing credentials ranging from just an email and password to also include meeting IDs, names and host keys. Full credentials could be used a range of activities from zoombombing to BEC attacks.

The database was discovered by IntSights in a dark web forum. It is not a large database. It contains just 2,300 records — too small to suggest an unknown data breach of Zoom itself, but too large to suggest a random collection of details found online. Nevertheless, the latter is possible because Zoom users are remarkably lax about protecting the details — and of course it could be just a small subset of a larger collection of credentials not made available to others.

On March 27, 2020, the UK Prime Minister (Boris Johnson) tweeted— with screenshot — that he had just held the first ever digital Cabinet meeting of the UK government. The screenshot displayed the ‘Zoom Meeting ID: 539-544-323‘. Johnson probably thought that this was safe because the meeting had finished; but Zoom calling it a ‘meeting ID’ is somewhat confusing. It is not this meeting; it is all meetings held by the account holder.

Adding this ID number to a usually easily guessable URL is the first step in gaining access to any and all current conferences held by that account. The URL is either the basic Zoom URL (https: // zoom . us / j /), or this URL with a company name inserted. Thus, ‘zoom [companyname] . us/j/ [account/ID number]’ is the URL for every Zoom videoconference held by the account owner. One would hope that the NCSC has instructed Mr. Johnson (or whoever holds the account used for the Cabinet meeting) to cancel that account and create a new one with a different ID number.

However, having these details doesn’t simply open the possibility of nuisance zoombombing on a conference. Additional access to an ID (usually just an email address) and password would allow a criminal to open the account and start a new videoconference in the account holder’s name — and that creates a whole new set of risks. 

In some cases, the database found by IntSights contains only partial details — in other cases it contains a full set of details, including the PIN code into all open sessions. With access to the URL, the ID number and the PIN code, that attacker could both enter a videoconference and take it over — including removing attendees for fun.

These credentials available in the database range from personal accounts to corporate accounts for banks, consultancy companies, educational facilities, healthcare providers, and software vendors.

The simple ID and password access into Zoom accounts suggests a possible collection method for the details on sale: credential stuffing. With so many email addresses and passwords available on the dark web and the common practice of reusing passwords across multiple accounts. a credential stuffing campaign could have been used to gain initial entry into Zoom accounts, from where the criminal could see what else he could find.

Advertisement. Scroll to continue reading.

“What was interesting to me,” Etay Maor, CSO at IntSights told SecurityWeek, “was some of the discussions that followed the database being offered on the dark web. They were around how to automate attacks against Zoom. What’s happening is the use of ‘Zoom checkers’.” A checker is a concept from bank card fraud, where a micro payment is made against stolen card credentials to check that the account is live and valid. “It looks like they’re building and adapting different tools to check and automate the discovery of valid accounts behind usernames and passwords.”

One such tool is already freely available on GitHub: OpenBullet. This doesn’t merely test email and password against the Zoom login page, but where it succeeds it attempts to harvest other data such as the ID number and PIN code (both of which are constant).

The potential threat isn’t simply zoombombing. “If the criminal has a large number of accounts, a bit of OSINT on the email address — using LinkedIn, for example — could locate any high value account holders, such as CEOs. LinkedIn could also locate the company’s finance officer, and using the same structure as the CEO’s email address, the attacker could probably guess the CFO’s email address.”

The attacker, with access to the CEO’s Zoom account, could email the CFO and say, “I need to talk to you. Hop on Zoom will you.” From there it’s just the standard social engineering that criminals have perfected — possibly blurring the voice with added noise, making the video difficult to see, using Zoom by phone, etcetera. It now becomes a new BEC opportunity. Losing your Zoom credentials doesn’t just open your videoconferences to nuisance calls, in this time of working from home, it opens your company to a new BEC threat vector.

In making Zoom easy to use by customers, the platform has become easy to abuse by criminals.

Related: Zoom Working on Security Improvements Amid More Bans 

Related: Keys Used to Encrypt Zoom Meetings Sent to China: Researchers 

Related: Vulnerability Allowed Attackers to Join Zoom Meetings 

Related: Zoom Vulnerabilities Expose Users to Spying, Other Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.