Post the coronavirus outbreak, video-conferencing app Zoom has gained massive popularity. But recently it has been under the scanner for multiple privacy and security issues.
In the latest turn of events, a cyber risk assessment firm has discovered that over half million Zoom accounts are being sold on the dark web.
An unidentified cyber hacker is giving away Zoom credentials, including meeting URLs, email ids, passwords, and HostKeys, at dirt-cheap rates. Security researchers also believe that the half million passwords on sale are from old Zoom accounts, which are being distributed to new users for less than a penny each.
The account details, which were taken through previous credential stuffing attacks, are posted on a number of dark web sites and hacker forums after they are sorted through and put into lists. A cybersecurity intelligence firm tried to warn victims after buying about 530,000 Zoom login details for about $0.0020 per account through a hacker forum. Researchers told that the accounts they have purchased came with the email address, password, personal meeting URL, and HostKey of each victim.
According to a security awareness advocate – “Credential stuffing is a popular attack technique, as people often tend to reuse the same password across different services. It is why it’s important that we continually provide security awareness and training to all employees so that they can make better risk-based decisions. This includes not reusing passwords and enabling two-factor authentication where it is available”.
Hackers use these account credentials for nefarious uses. Now that millions of organizations are using Zoom and other video conferencing platforms to conduct all kinds of business, cybercriminals have shown increased interest in login details or potential vulnerabilities that can be exploited.
Hackers are cashing in on Zoom’s ‘zero-day’ vulnerabilities and selling data stolen from the app on the dark web.
‘Zero-day’ vulnerabilities are faults in software that hackers can use to target specific users. Depending on the importance of the software that these vulnerabilities are detected in, the data can be sold for up to millions of dollars. The price for zero-day vulnerabilities in Zoom on the dark web ranges from $5,000 to $30,000, the report said.
The vulnerabilities being sold on the dark web include glitches in security ranging from webcam to microphone security issues, which hackers can use to gain access to sensitive data including passwords, emails, or device information.
As per a report prepared by a renowned cyber threat analyst and chief security officer – “There has been increased chatter across the dark web about ways to take advantage of the increased usage of Zoom globally.” Both said that since January, hackers have been looking into ways they can manipulate and take advantage of Zoom, knowing that more people are out there using the platform and making mistakes.
Using credentials stolen years ago, cybercriminals are able to exploit the recent spike in usage by reusing old login information to gain access to accounts, where they can disrupt or deface meetings and even steal valuable information.
Over the past few months, Zoom has continuously faced backlash over privacy and security issues due to which a number of institutions outright banning the use of Zoom entirely. Elon Musk’s SpaceX, Schools and businesses across the world have begun to ban employees and students from using Zoom out of concern for security.
There’s always an alternative for everything and in this case it is – Signal Private Messenger. Yes, you read it right. It’s an encrypted messaging service that can provide video call, Audio call, and group chat services like Zoom. The best part is unlike Zoom, Signal communications are automatically end-to-end encrypted.
The keys that are used to encrypt the user’s communications are generated and stored at the endpoints (i.e. by users, not by servers).To verify that a correspondent is really the person that they claim to be, Signal users can compare key fingerprints (or scan QR codes). The app employs a trust-on-first-use mechanism in order to notify the user if a correspondent’s key changes.
Signal messages are encrypted with the Signal Protocol (formerly known as the TextSecure Protocol). The protocol combines the Double Ratchet Algorithm, prekeys, and a Triple Diffie-Hellman (3XDH) handshake. It uses Curve25519, AES-256, and HMAC-SHA256 as primitives.
The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and multicast encryption. In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership.