Hundreds of thousands of hacked Zoom accounts are being sold on the dark web, after the video conferencing app’s rate of usage surged due to the worldwide coronavirus lockdown, according to Cybersecurity site BleepingComputer.
BleepingComputer issued a report revealing how account details and passwords have been compromised, collected and sold. They’re typically sold in bulk for extremely small sums, with a single account login - replete with email address, password, personal meeting URL and HostKey - up for grabs for as little as US$0.0020. This means, over 500,000 Zoom accounts can be bought for US$1,000.
Account details are likely gathered through "credential stuffing" attacks, in which cyber criminals attempt to log in to accounts on various websites using usernames and passwords leaked in previous breaches, on the assumption individuals typically maintain the same credentials across platforms and rarely if ever update them.
Hacked accounts are then used for ’zoom-bombing' pranks and other malicious activities.
“We’ve already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials,” the firm said.
The company added this particular kind of attack “generally” doesn’t affect their “large enterprise customers”, who utilise their own single sign-on systems. It’s unknown how many users in total are affected, although the figure is surely sizeable due to millions of workers, students and families signing up for the video conferencing app has during the Covid-19 lockdown as a means of studying, working and staying in touch.
Coronavirus has proven to be a goldmine for fraudsters - the US Federal Trade Commission estimates approximately US$13 million has been lost to Covid19-related scams since January 2020, with a median loss of US$570 in over 16,778 separate reported scams.
— FTC (@FTC) April 13, 2020
Most reports were received from California, with 2,010 consumers saying they were targeted by fraudsters, followed by Florida, New York, and Texas with over 1,000 complaints each.
Scammers targeting consumers seeking vacations deals accounted for 2,800 fraud attempts reported to the FTC, while online shopping and text message-based scams accounted for 1,741 and 1,017 reports respectively.