Application security, Threat Management, Malware, Phishing

Phishing campaign aims to steal Zoom credentials using fake layoff notifications

Researchers have uncovered a phishing campaign, designed to steal Zoom credentials, that attempts to trick email recipients into thinking they are about to be laid off amid the pandemic. The attackers hope potential victims will click on a malicious link that supposedly links to a Zoom meeting hosted by human resources.

The campaign targets Office 365 users and has so far reached around 50,000 mailboxes, according to a new blog post report from Abnormal Security.

"The email masquerades as a reminder that the recipient has a meeting with HR regarding their termination," the report states. "When the victim reads the email, they will panic, click on the phishing link, and hurriedly attempt to log into this fake meeting. Instead, their credentials will be stolen by the attacker."

The link leads to a malicious landing page hosted at zoom-emergency.myftp[.]org. "Links to the phishing page are hidden in text used in automated meeting notifications such as 'Join this Live Meeting,'" the report continues.

COVID-19 phishing campaigns continue to evolve as the pandemic reaches new stages and the world reacts. Early phishing operations preyed on users' fears of catching the virus by using lures related to coronavirus information, statistics and maps. Later phishing emails capitalized on economic fears by using lures related to the federal stimulus package and small business loans.

Now, with unemployment rates skyrocketing and many companies furloughing their employees, it appears cybercriminals are crafting a new round of emails capitalizing on fears of being unemployed.

Abnormal Security reports that both the email and fake Zoom meeting landing page is convincing. "The email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials," the report explains.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.