The discovery of more than half a million Zoom accounts for sale on the dark web has prompted security concerns, with some of the account details even being given away for free. Hackers are giving away lists gained through credential stuffing attacks to improve their reputation in hacking communities, reported cyber-security intelligence firm Cyble.
The logins are gained via credential stuffing attacks, where attackers use previously leaked lists of login emails and passwords to login to new services, such as Zoom. Once successful, the newly compromised account is collated into a list and sold.
Cyble confirmed to SC Media UK that it was able to purchase 530,000 Zoom credentials for less than a penny each.
“The data was shared with us privately via an App (Telegram) with a Russian-speaking actor. At this point, we have just tested some samples, and a good portion of the samples seem valid. It’s quite difficult to test all the samples, as we might inadvertently cross the line,” said Beenu Arora, CEO of Cyble.
“Do not ever reuse old or similar variations of passwords for video conferencing solutions such as Zoom or any other account,” warned Joseph Carson, chief security scientist at Thycotic.
“Reusing old passwords is like leaving your front door open and inviting cyber-criminals into your home. Stop doing it now, otherwise expect to become a victim of cyber-crime. Many passwords managers are free. Start using them, use unique long passwords such as passphrases and use a password manager to keep all your passwords unique but easy to use,” he said.
ESET cyber-security specialist Jake Moore agrees, saying that Zoom users need to be certain that they have not used the same password as their other accounts online.
“Hackers use very simple tools to reuse passwords that are stolen in separate data breaches, an attack known as 'password stuffing'. They are then able to quickly attempt to access all accounts with the same email address as the user name,” he said.
“Zoom users must never use the same password anywhere else, but it is especially crucial that the same password is not used for their email account too, or the attacker would be able to send invites from the victim, making the attack even more dangerous.”
Users can check to see if their credentials are likely to have been leaked in previous data breaches by entering their email address(es) into Have I Been Pwned and Cyble's AmIBreached data breach notification services.
Researchers at IntSights recently documented the credential stuffing trend in a blog post, highlighting the dangers of ignoring basic password hygiene when registering for new services of any kind, but also pointing to the range of tools available to streamline such attacks.
One mentioned by IntSights is OpenBullet, which describes itself as a web testing suite that allows to perform requests towards a target web app and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pen-testing, unit testing through selenium and much more.
IntSights researchers found hackers sharing OpenBullet config files for Zoom, as well as older targets such as smart home security firm Ring.