Surprisingly, Cisco's own Secure Email Gateway failed to catch this new campaign which was launched at a time when millions of people are working from home using a variety of online platforms and software. Cybercriminals are well aware of this and have begun to exploit trusted brands like WebEx to deliver malicious emails to users.
Video conferencing software has been targeted by attackers in the past but the rapid influx of remote workers during the global pandemic makes for easy prey for hackers. Cofense anticipates that there will continue to be an increase in remote work phishing in the months to come.
- Phishing emails impersonate the White House
- Cisco serves up free Webex licenses to help home workers deal with coronavirus
- Nearly half of workers have clicked on a phishing email
WebEx phishing campaign
This latest phishing campaign begins with potential victims receiving an email with subject lines such as “Critical Update” or “Alert” from the spoofed address “firstname.lastname@example.org”. The body of the email explains that there is a vulnerability that the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system”.
This quite clever on the part of the hackers as they have spoofed a legitimate business service and have even included links to a write-up for a legitimate vulnerability tracked as CVE-2016-9223. To make their email more compelling, the linked article uses the same wording as the email.
The attackers have also created a fake URL (https://globalpagee-prod-webex.com/signin) which, at first glance, appears quite similar to the actual Cisco WebEx URL (http://globalpage-prod.webex.com/sigin). However, upon further inspection, it is clear that the spoofed URL contains an extra "e" and uses a dash instead of a period at the end.
To carry out this attack, the hackers registered a fraudulent domain through Public Domain Registry just a few days before sending out their credential phishing email. They even went as far as to obtain a SSL certificate for their fraudulent domain to make it appear more legitimate. Once again though there is a discrepancy though, as the official Cisco certificate is verified by HydrantID while the attacker's certificate is through Sectigo Limited.
The phishing page then redirects users to a fake Cisco WebEx login page that is visually identical to the real thing. Once a user logs in, the attackers then have their WebEx credentials which could be sold on the dark web or used to launch additional attacks against them or their organization.
Working from home certainly has its perks but remote workers must remain vigilant to avoid falling victim to this and the many other scams making their way around the internet at the moment.
- Also check out our complete list of the best antivirus software