Special invitation: how scammers use the topic of virtual meetings
Fraudsters can use the topic of virtual meetings to deceive users, experts have warned about this. Since the Covid-19 pandemic, such meetings have become an integral part of the workflow in many companies, and attackers use fake invitations to them in their schemes. For more information about why this happens and how to protect yourself, see the Izvestia article
Why is the topic of virtual meetings interesting to scammers
The Covid-19 pandemic has largely changed key work processes: meetings, meetings, document management and shared corporate resources, Konstantin Gorbunov, a leading expert on network threats and web developer at Security Code, says in an interview with Izvestia. At that time, many companies transferred employees to remote work, and some tasks, in particular meetings and meetings, began to be carried out in various services.
— This habit has become so firmly entrenched that until now, the solution of various tasks is actively carried out in a remote format, — says the specialist. — In addition, do not forget about companies with many branches and offices in different cities. Even before the pandemic, there was a question of communication between different project teams.
In this regard, today platforms such as Zoom and its analogues are usually perceived by people as purely business tools — and this somewhat reduces suspicion, says Sergey Polunin, head of the IT infrastructure solutions protection group at Gazinformservice. In general, this is logical: if an employee has a dozen online work meetings a day, he will join the eleventh without hesitation.
— In addition, modern platforms for organizing meetings have simplified the connection procedure to the pressing of just one button, which means it is an excellent environment for organizing phishing attacks, — the expert emphasizes.
How scammers use the subject of online meetings
Fraudsters have repeatedly actively used the topic of video conferencing in their schemes. In particular, according to the head of BI.Oleg Skulkin's ZONE Threat Intelligence, the topic of video calls was actively exploited by the Lazer Werewolf group (also known as Lazarus). The attackers sent a link to a Google Meet video meeting to the victim in Calendly. In fact, the link led to a domain controlled by the attackers, disguised as Zoom.
— The victim joined the "meeting", which was attended by deepfakes of the company's executives, as well as external participants, — says the interlocutor of Izvestia. — At the same time, the victim's microphone allegedly did not work, and the participants suggested that she download the Zoom extension to solve this problem. In fact, the "extension" was a script that installs malicious software into the victim's system.
Similar attacks have taken place in Russia, Oleg Skulkin notes. For example, representatives of the Gremlin Wolf group posed as journalists from a major media outlet and invited victims for a 30-minute interview. Of course, clicking on the link in the email led to the installation of malicious software on the victim's system.
Kaspersky Lab cybersecurity expert Roman Dedenok adds that the company's specialists have already seen quite convincing phishing attacks, in which attackers sent personalized emails to employees of organizations under the guise of instructions from the HR department. Their difference is that in the discovered mailings, the recipient was addressed by name both in the letter itself and in the attached file, which the potential victim was invited to read.
—Previously, attackers often used fake Zoom or Microsoft Teams login pages to steal usernames and passwords," says Alexey Kozlov, a leading analyst at the Spikatel Information Security monitoring department. — In addition, sometimes the attacks were disguised as "account updates" before the meeting.
How online meeting schemes may change in the future
According to experts interviewed by Izvestia, fraudulent schemes related to virtual meetings may evolve in the future. In particular, as Oleg Skulkin says, today intruders are increasingly using the technology of creating deepfakes.
"Moreover, preliminary communication with the victim, including through videoconferences, helps to lull her vigilance and increases the chances of fraudsters to succeed," the source said.
Even now, fake video conferences created by intruders include animations of connecting other colleagues and displaying a list of those present, Konstantin Gorbunov notes. At this stage, the scammers have received Zoom login information, but they can "prolong" the animation, for example, using deepfakes, and try to get additional information or send a malicious file to the victim in the chat.
In addition, schemes are likely to appear that use voice messages with the artificially generated voice of a supervisor who urgently needs to join the meeting, adds Mikhail Sergeev, lead engineer at CorpSoft24. Another possible scenario is the development of schemes using QR codes to enter conferences: as Alexey Kozlov explains, such codes are easier to filter and more difficult to check manually.
What are the dangers of fraud schemes on the topic of virtual meetings?
Schemes related to online meetings can be aimed at a wide variety of user categories — it all depends on the goals of cybercriminals, says Oleg Skulkin. For example, if attackers seek to gain access to the assets of a cryptocurrency exchange, they can choose its developers as a target and introduce themselves as recruiters.
"Such attacks can also be aimed at ordinary employees of the corporate segment — in this case, the goal may be to obtain credentials or install malicious software," the source tells Izvestia. — Also, do not forget about individuals: video calls, including those using deepfakes, are actively used to steal financial assets.
At the same time, according to Konstantin Gorbunov, such schemes are primarily aimed at large companies, where there are many project teams and contractors, and regular installation meetings are held, which is why the next meeting letter will not seem suspicious to some employees.
If the company's password policy does not allow having the same password for all corporate services, then the damage from the successful implementation of the scheme is limited to gaining access to the employee's personal account in Zoom — as a result, the ability to connect to the next conferences and view the history of previous ones.
"But if the same password is used for all services, the damage will be much greater, because attackers will gain access to them: mail, cloud storage, personal accounts in corporate portals, CRM systems, and so on," warns Konstantin Gorbunov.
How to protect yourself from fraudulent schemes on the topic of online meetings
In order to protect yourself from attacks by scammers on the topic of virtual meetings, Konstantin Gorbunov advises following a number of simple recommendations:
- Completion of the email client is the introduction of a list of available email addresses for incoming messages, spam filtering functionality and automatic verification of attachments and links.
- Phishing exercises and trainings within the company, informing employees about similar fraud schemes and new tricks.
- Also, when employees click on any links from emails, they must first check the sender's address character by character, as well as the link itself. Moreover, to display a real link, you need to hover the mouse cursor over it, but not click. If you have any doubts about the meeting, you must first clarify the information with the supervisor.
— It is important to receive timely information about new fraud schemes — this is the only way to suspect something is wrong in time and not succumb to the tricks of intruders, — concludes Oleg Skulkin. — And, of course, it is necessary to carefully look at the links, not download suspicious files and double-check the relevance of meetings with colleagues.
Переведено сервисом «Яндекс Переводчик»
