In a nutshell, here’s now the new campaign works:
The hackers controlling the campaign kick things off by sending out what appear to be automated Zoom account suspension alerts. These are convincingly crafted and make it appear that your account has been compromised. The message is invariably either a carbon copy or a slight variant of the following:
“We’ve temporarily suspended your Zoom because your email failed to sync with our server within the past 24 hours. At this time, you will not be able to invite or join any call/meeting. Please verify your email:”
And then, just below the ‘Please verify your email’ bit in the body of the message, the hackers have included a button labeled ‘Activate Account,’ which a fair percentage of this message’s recipients are clicking on.
Clicking on the button opens a browser tab and takes the email recipient to a well-designed spoof of a Microsoft Login page which asks for the user’s credentials.
Naturally, if the user enters their login information here, nothing will happen except that the information will be stored in a database belonging to the hackers, who will no doubt use it later.
Not long ago, the US FBI issued a warning about BEC scammers targeting users of popular cloud-based email services like Google’s G-Suite and Microsoft’s Office 365 to steal credentials for use in attacks down the road. This latest campaign certainly seems to add an exclamation point to the end of that warning. Stay on your guard and make sure your employees are aware.