Threat actors are very aware that a huge number of people leverage online platforms to host and participate in meetings, and are ready to exploit those spaces. In this attack described by Armorblox, social engineering was used to mimic an email invite to start a Zoom meeting and trick 10,000 users into clicking a malicious link.
Malicious hackers targeted 10,000 mailboxes in a major online mortgage brokerage company located in North America. They used social engineering and brand impersonation techniques to simultaneously gain trust and urge users to act swiftly, leaving little time to think about the email.
The email itself seemed like a legitimate Zoom message, which was sent from a real domain and bypassed the Microsoft email security product. It was titled “[External]Zoom Meetings 11:00 AM Eastern Time [US and Canada],” with the message of “Your participants have joined you in a meeting.” The victim was thus encouraged to click on the “Start Meeting” button to join his waiting colleagues.
Upon clicking on the link, users were redirected to a spoofed Outlook login page, which required them to submit their credentials. This way, attackers could get a hold of passwords and account emails.
“As an everyday Zoom user, it is habitual to click on ‘Start Meeting.’ When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” the report explains.
Despite the desire to act quickly, it is always best to pause and take a step back if faced with an unusual request or – in this case – an unplanned meeting. Phishing emails often contain small grammatical errors, use emails that only resemble the original sender, or add links that do not lead where they’re supposed to lead. Oftentimes, something as simple as hovering your mouse over a link can prevent you from falling victim to a cyberattack.
On an organizational level, investing in the appropriate cybersecurity training of employees might protect the business from the aftermath of phishing attacks even better than some security products.
“Threat actors with corporate targets in sight sometimes go after individuals first. Organizations should make sure their staff is well-trained to identify phishing emails, which can help thwart targeted attacks on their personal emails. In turn, these employees will also report any phishing emails received to their company inbox to their security team. Training users to protect their credentials and ensuring they are logging into legitimate sites is also crucial,” Tonia Dudley, Director and Security Solution Advisor at Cofense, told CyberNews.