Ping. Eager to look at what a potentially new email might entail, users routinely check to see if they have new mail. This time, though, the email was a bit different. In bold and uppercase lettering that just screams that something bad is happening, the sender, who is someone important in your company, states that this is an emergency! Now that definitely catches your attention.
And as you read the email, your heart begins to drop. Declaring a critical issue that affects your work, they urge you to click on the link to a Zoom meeting so you can remedy it. Of course, you want to. The link is familiar now, in part thanks to the COVID-19 pandemic, and it appears clean and legitimate to the eye.
So, then, you click it. Unknowingly, however, you just set in motion a sophisticated attack.
How the Attack Worked
On a random day in May, thousands of emails were sent out. They were all nearly identical, except for the sender, which stated in big, bold font that the subject of this email was urgent. The contents of it are even scarier, stating there was a critical issue in the affected user's work, and a meeting needed to be held over a Zoom call.
Now the user is really urgent, of course, so in accordance with the urgency theory, fear and anxiety are heightened, erasing any skepticism about the contents of the article to be nonexistent. All of it makes sense, after all, since the Zoom hyperlink at the bottom appeared to be legitimate. However, all this was URL masking. The link was displayed as user-friendly, but had another destination in mind.
Clicking the link redirected the user entitled hxxps://tracking[.]cirrusinsight[.]com first so the control centor could monitor how many people clicked, and then went through the a short URL like one[.]ebext[.]in and hubs[.]ly until making it over to pub-51656ae3d0ef4f2ba59cdfc6830c8098[.]r2[.]dev. Upon making their way over to the pub link, which was meant to resemble a Zoom call, users were prompted with an initial "join meeting" button, which does work. When users pressed the button to join, they would see individuals smiling and waving. This was just a hoax, too: the people in the video were pre-recorded, likely even generated using AI.
The Credentials Are Harvested
After just a few moments of being on the seemingly normal call, the user would get an error message. Declaring to the user that the "meeting connection timed out" (a genuine error message that is commonplace on Zoom), they were then prompted to sign in again. And this is where the real attack happened.
When they were prompted to sign in, they needed to enter their information. Here it looked even more real: using the #targetid - a common scheme where when one clicks a link in the email, they are tracked to confirm who clicked it - the username would even fill in the email and their region of residence.
Whenever they filled in the sign-in order to reconnect, what really happened was that their credentials were harvested. The control center would take that information they were able to gather just from a person putting in those credentials, including a user's IP address, country, and region, and package it to sell on the popular messaging app Telegram.
How It Could Have Been Prevented
More importantly, though, is how the attack could have theoretically been mitigated with just basic security. The most important thing for this type of "hack" is how to protect an email. Traditional mail spam filters often miss socially engineered threats, as they evolve into more sophisticated social engineering. Instead, the better alternative is to deploy advanced email security gateways.
Other solutions include:
- MFA - Should always be in use to prevent unauthorized access to systems
- Monitor unusual login patterns - Like from unexpected geolocations or IP addresses
- Security awareness training - Incredibly important to spotting phishing red flags
- Hover over links before clicking to see where it sends you
- Check the sender - Often, they appear legitimate to the eye, called spoofing, but subtle errors usually give it away
