Phishing Attack Mimics Zoom Meetings To Steal Login Credentials

A new phishing campaign employs a highly convincing, five-stage attack flow designed to steal user credentials under the guise of a Zoom video conference. The process involves deception techniques, multi-domain infrastructure, and secure real-time data exfiltration mechanisms to enhance stealth and bypass common security controls.

Severity Level: High

VULNERABILITY OVERVIEW:

1. Infection Chain:
2. Stage 1 – Phishing Email:
   • The phishing emails use urgent subject lines like “Missed Zoom Call” or “Urgent Meeting Request” to prompt quick, impulsive clicks from busy professionals.
   • Users receive an email containing a malicious link, leading them to a fake Zoom interface.
   • The email may use urgent language or scheduled meeting notifications to create a sense of urgency, encouraging users to act quickly without verifying the source.
3. Stage 2 – Visual Deception:
   • The webpage simulates a Zoom loading screen, followed by a pre-recorded video of a “live meeting” with visible participants, increasing credibility.
   • The pre-recorded video of “participants” may include fake names and avatars, reinforcing the illusion of legitimacy by mirroring typical enterprise meeting environments.
4. Stage 3 – Fake Disconnection Prompt:
   • A sudden “Fake disconnection lost notification” or “Session Expired” message tricks the user into thinking a session error occurred.
   • A fraudulent disconnection message appears, prompting users to re-enter login credentials.
5. Stage 4 – Credential Harvesting:
   • Users are shown a realistic-looking login form that mimics Zoom or corporate SSO pages.
   • The form may redirect to a real Zoom page after credential entry to reduce suspicion, allowing attackers to harvest data without raising immediate red flags.
6. Stage 5 – Data Exfiltration:
   • Stolen credentials are transmitted via the Telegram API, allowing attackers to receive data in real-time using legitimate communication channels that often evade detection.

Infrastructure & Techniques:

1. Domain Usage:
   • Tracking and phishing URLs are hosted via cirrusinsight[.]com subdomains, making the links appear legitimate and trusted to end users.
   • Fake meeting pages are served from r2[.]dev (Cloudflare R2), leveraging a reliable cloud service that is less likely to be flagged as malicious.
2. Command and Control (C2):
   • Attackers use the Telegram API for stealthy command and control (C2) communication, which often bypasses traditional firewalls and endpoint security tools due to its widespread legitimate use.
   • This method allows for real-time data exfiltration and immediate access to stolen credentials through bots or channels.

MITRE ATT&CK:

Recommendations:

1. Educate users to verify Zoom URLs and avoid re-authenticating from popups or prompts in meetings.
2. Monitor for unusual outbound traffic to Telegram API endpoints.
3. Implement multi-factor authentication (MFA) to reduce the impact of compromised credentials.
4. Block the IOCs at their respective controls: https://www.virustotal.com/gui/collection/40c35230cac379cebf731beb69d4ea881619ff0c36309e7eacf27ae2f5f9024a/iocs.

Source:

• https://cybersecuritynews.com/new-phishing-attack-mimic-as-zoom-meeting-invites/
• https://x.com/SpiderLabs/status/1924424257083179462

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.