The realisation that half a million Zoom account details have appeared for sale on the ‘dark web’ has created intense security concerns. Apparently, some of the account details are even being given away! Unknown hackers seemingly are giving away lists obtained by ‘credential stuffing attacks’ in order to enhance their own ‘standing’ in hacking communities. This was reported by cyber-security intelligence firm Cyble.
Logins
Logins are obtained by ‘credential stuffing attacks’. This is best described as when attackers use leaked lists of login emails & passwords to login to new services, e.g. Zoom. When successful, the compromised account is simply then added into a list and then sold on.
Cyble has explained that it was able to buy some 530,000 Zoom details, it seems, for less than a penny a piece!
Russian-speaking
“The data was shared with us privately via an App (Telegram) with a Russian-speaking actor. At this point, we have just tested some samples, and a good portion of the samples seem valid. It’s quite difficult to test all the samples, as we might inadvertently cross the line,” shared Beenu Arora, the CEO of Cyble.
“Do not ever reuse old or similar variations of passwords for video conferencing solutions such as Zoom or any other account,” strongly warned Joseph Carson, who is Chief Security Scientist at Thycotic.
Old Passwords
“Reusing old passwords is like leaving your front door open and inviting cyber-criminals into your home. Stop doing it now, otherwise expect to become a victim of cyber-crime. Many passwords managers are free. Start using them, use unique long passwords such as passphrases and use a password manager to keep all your passwords unique but easy to use,” he cautioned and observed.
ESET cyber-security expert Jake Moore further added that Zoom users must be absolutely sure that they have not ever used exactly the same password as used by any other online accounts.
Hackers
“Hackers use very simple tools to reuse passwords that are stolen in separate data breaches, an attack known as ‘password stuffing’. They are then able to quickly attempt to access all accounts with the same email address as the user-name,” he further observed.
“Zoom users must never use the same password anywhere else, but it is especially crucial that the same password is not used for their email account too, or the attacker would be able to send invites from the victim, making the attack even more dangerous.”
Users can see if their details are likely leaked in any previous data breaches by entering their email to ‘Have I Been Pwned’ & Cyble’s ‘AmIBreached’ data breach notification services.
Credential Stuffing
IntSights outlined the ‘credential stuffing’ tendency in a blog. This highlighted the total vulnerability than can be created by ignoring basic password disciplines, when registering for any new services of any sort, & also outlined the tools that are now available to deal with attacks.
An example is OpenBullet; web testing software that actions tests of a target web app & contains many tools to handle the results generated. The software can be used for ‘scraping & parsing’ data, automated pen-testing, unit testing through selenium etc.
IntSights also discovered that hackers were now sharing OpenBullet config files relating to Zoom, additionally older targets, e.g. smart home security firm Ring.