DUBAI — Middle East users were warned about credential theft and malware threats on services such as WebEx and Zoom amid an increase in video conferencing company-themed attacks seeking to steal credentials and distribute malware.

Proofpoint researchers found that these are noticeable during the COVID-19 pandemic as the global workforce shifts to remote work resulting to increased demand for video conferencing services.

To note, these attacks do not leverage or attack video conferencing software directly. Threat actors are using the names and brands of these video conferencing companies as themes in their social engineering lures, which lead to the theft of various account credentials, malware distribution, or credential harvesting for these spoofed video conferencing accounts.

“Video conferencing has become very popular very quickly, in the Middle East, as well as globally. Attackers have noticed and moved to capitalize on that popularity and brand strength. Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials. This points to the increasing value of compromised video conferencing accounts. Stolen account credentials could be used to login to corporate video conferencing accounts and violate confidentiality. They also could likely be sold on the black market or used to gain further information about potential targets for launching additional attacks, ” said Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint.

The emails you need to look out for:

`* Credential Phish: Zoom Account

This medium-sized campaign has targeted energy, manufacturing, and business services in the US and is designed to steal user credentials. The message body includes a lure that claims to welcome users to their new Zoom account.

Emails in this campaign arrived with a subject line of “Zoom Account” and purport to be from an admin account.

The message body includes a lure that welcomes users to their new Zoom account and contains a link, which the recipient is urged to click in order to activate their Zoom account. When clicked, users are taken to a generic webmail landing page and asked to enter their credentials.

* Credential Phish: Missed Zoom Meeting

This small campaign targets transportation, manufacturing, technology, business services, and aerospace companies in the US and seeks to steal user credentials using a lure around a missed meeting. The emails arrive claiming that the recipient missed a Zoom meeting and includes a link the recipient can use to “Check your missed conference”.

If the recipient clicks on the link, they are taken to a spoofed Zoom page and asked for their Zoom credentials.

* Credential Phish: Cisco WebEx “Alert!" "Your account access will be limited!”

This small campaign attempted to harvest WebEx users’ credentials with emails claiming that recipients need to take immediate action to address a WebEx security vulnerability. Industries targeted include technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing companies.

* Lure with Spoofed Cisco WebEx branding claiming critical vulnerability

This campaign claims to come from addresses such as “cisco@webex(.)com” or “meetings@webex(.)com” and uses subject lines such as: “Critical Update!” , “Alert!”, “Critical Update!”, “Your account access will be limited!” or “Your account access will be limited in 24h.”

The emails claim that the recipient needs to update their WebEx client to “fix” a security vulnerability in the Docker Engine Configuration in Cisco CloudCenter Orchestrator. The messages very prominently abuse the Cisco WebEx logo and spoof the format of Cisco’s security advisories. They also appear to draw text and images from a legitimate Cisco advisory.

"If the recipient clicks on the link, they are taken to the page which asks for the user’s WebEx credentials.s video teleconferencing has become more important than ever to the global workforce, it’s not surprising that attackers are moving to adapt their themes and lures to include prominent video conferencing providers like WebEx and Zoom. With more to remote and more organizations shifting work, we can expect these video teleconferencing brands to continue to be used as themes in social engineering lures for the foreseeable future, "Proofpoint said. — SG