On March 30, 2020, the U.S. Federal Bureau of Investigation (FBI) alerted users of video teleconferencing (VTC) services of the rise in VTC hijackings. These incidents are also often referred to as “Zoom-Bombing,” which references the popular VTC service Zoom. A VTC hijacking occurs as a video conference is taking place and is suddenly interrupted with pornographic material, hate images, and/or threatening language. The goal of these hacks is often to generate content that can be featured on social media platforms or to simply cause an interruption.
The FBI Boston field office in Boston, Massachusetts, has had multiple reports of VTC hijackings. In late March 2020, a Massachusetts-based high school reportedly had an unidentified individual interrupt a classroom Zoom meeting and begin shouting obscenities. The individual also reportedly yelled the teacher’s home address. A separate school in Massachusetts claimed a Zoom hijacker joined a teleconference and displayed swastika tattoos over their webcam.
In order to prevent users of Zoom and other VTC platforms from becoming hijacking victims, the FBI recommended the following safety precautions:
1) Make meetings private, which requires either a password to enter a meeting or places people in a “waiting room” to control admittance;
2) Do not share Zoom conference links on public social media accounts;
3) Change the screen sharing setting to “Host Only”;
4) Ensure users keep Zoom clients up to date with the latest Zoom software and all passwords;
5) Ensure the company’s telework policy or guide address requirements for physical and information security.
The FBI encouraged VTC hijacking victims to report incidents to the FBI’s Internet Crime Complaint Center at ic3.gov. If any direct threats are made during a video conference hijacking, users are urged to submit a tip using the FBI’s electronic Tip Form at tips.fbi.gov or call a field office.
In addition to VTC hijacking cyber threat actors are also taking recently registered Zoom-themed web domains and creating malware filled websites. These fake Zoom websites trick unsuspecting users into believing they are downloading the Zoom application. Instead, fake Zoom websites infect computers with malware and collect private information if not identified and removed in time. Specifically, files using the “zoom-us-zoom_##########.exe” naming scheme were recently discovered.
Zoom-based incidents are not the first cyber-related incidents to occur as a result of the COVID-19 pandemic, however. When the virus began to quickly spread throughout the United States in January and February 2020, cyber threat actors began to take advantage of the situation almost immediately. Threat actors would deploy malware-infected coronavirus-related content in the hopes of infiltrating computers to gather private data and information. The content would lure in unsuspecting users attempting to stay updated on the latest news surrounding the virus. In one specific case, coronavirus maps were being deployed with malware that appeared very similar to the map created by Johns Hopkins University.
The large number of people forced to work or attend school from home due to the COVID-19 pandemic, coupled with a lack of proper security etiquette, is very likely the reason for the increase in VTC hijackings. Many companies and schools have been forced to rely on VTC applications such as Zoom to communicate with employees, continue running operations, or teach their respective classes. Zoom alone has seen a 21% increase in user growth since the end of 2019. So far, 2.22 million people have signed up for the service, whereas 1.9 million people signed up all of 2019. The number of signees could also continue to expand rapidly if more organizations and academic institutions are forced to work from home.
For more information call INA at 717 599 5505 or email at firstname.lastname@example.org.
Posted Apr. 3, 2020
By Nathan Kormanik, Intelligence Analyst, Risk and Threat Intelligence