Researchers have uncovered a phishing campaign, designed to steal Zoom credentials, that attempts to trick email recipients into thinking they are about to be laid off amid the pandemic. The attackers hope potential victims will click on a malicious link that supposedly links to a Zoom meeting hosted by human resources.
The campaign targets Office 365 users and has so far reached around 50,000 mailboxes, according to a new blog post report from Abnormal Security.
"The email masquerades as a reminder that the recipient has a meeting with HR regarding their termination," the report states. "When the victim reads the email, they will panic, click on the phishing link, and hurriedly attempt to log into this fake meeting. Instead, their credentials will be stolen by the attacker."
The link leads to a malicious landing page hosted at zoom-emergency.myftp[.]org. "Links to the phishing page are hidden in text used in automated meeting notifications such as 'Join this Live Meeting,'" the report continues.
COVID-19 phishing campaigns continue to evolve as the pandemic reaches new stages and the world reacts. Early phishing operations preyed on users' fears of catching the virus by using lures related to coronavirus information, statistics and maps. Later phishing emails capitalized on economic fears by using lures related to the federal stimulus package and small business loans.
Now, with unemployment rates skyrocketing and many companies furloughing their employees, it appears cybercriminals are crafting a new round of emails capitalizing on fears of being unemployed.
Abnormal Security reports that both the email and fake Zoom meeting landing page is convincing. "The email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials," the report explains.