Written by Zachary Blenden
During the ongoing COVID-19 pandemic, we have seen more and more attacks targeting users of the popular teleconferencing application Zoom. These attacks have sometimes been described as data “breaches” or “leaks” when in reality they are something else.
Often, we see customer data related to a certain organization sold or shared on the Dark Web. In some cases, such data is mistakenly thought to originate in a data breach of the target organization, where in fact it is the output of a credential stuffing attack, which leverages data compromised elsewhere and the prevalence of password reuse.
Credential stuffing attacks require minimal technical skill and can be carried out by actors with access to username and password combination lists that can easily be obtained in bulk for free across online underground forums. In these forums, threat actors share combination lists that are typically obtained through phishing attacks or prior data breaches of various organizations.
The image below displays a thread on an underground forum in which an actor posted 100,000 credential pairs (containing email addresses and passwords).
Using such credential lists in a credential stuffing attack, threat actors can produce valid credentials for other websites or applications of interest. Threat actors use widely available credential stuffing tools such as Sentry MBA, OpenBullet, or SNIPR to name a few, to test those credential pairs across multiple target websites. When launched, the tool attempts to log in to the target websites using the credentials available and report information back to the attacker regarding which accounts were accessed successfully. In some cases, the tool can also report back with additional information collected from the victim’s account such as Username, Account Type (e.g. Free, Paid, etc.), or other identifiable information related to the specific website or service. In recent attacks targeting Zoom accounts, threat actors have been able obtain information from the victim’s account including personal meeting URL and ID, HostKey, Name, and Account Type.
The image below is an example of the output from a credential stuffing attack. In this example, the actor targeted Zoom accounts and captured the email address, Zoom personal meeting URL, MeetingID, HostKey, Name, and account type related to each set of credentials tested and found valid. This information may sometimes be mistaken for “leaked” or “breached” data when in fact it is just the output from one of many credential stuffing attacks, leveraging previously exposed credentials from other sources (i.e., not Zoom).
Once valid credentials are obtained from an attack, the threat actor may take multiple routes. In most cases, the credentials are resold on underground forums and marketplaces. For example, an actor may conduct a credential stuffing attack against several popular video streaming services and sell the valid accounts for a profit.
Organizations should actively check whether their employees’ or clients’ credentials have been compromised in 3rd-party data breaches. If such credentials are exposed, it is likely that a portion of these credentials may be used to access these employees’ or clients’ accounts due to the high rate of password reuse. Therefore, such employees or clients should be urged to change their password. Of course, it is very difficult to change behavior related to password reuse, and as such, educating on the importance of unique and secure passwords is also very important. Finally, organizations may implement certain tools to defeat credential stuffing attempts and to prevent unauthorized logins even in the event that credentials have been compromised.
About the AuthorZac Blenden is a Threat Intelligence Analyst at Q6 Cyber with a focus on cybercriminal communities and activity. Prior to Q6, Zac was a Penetration Tester and Threat Intelligence Analyst.