WebEx users targeted in new phishing campaign

(Image credit: Shutterstock)

A new phishing campaign designed to harvest Cisco WebEx credentials through a security warning for the application has been discovered by the Cofense Phishing Defense Center (PDC).

Surprisingly, Cisco's own Secure Email Gateway failed to catch this new campaign which was launched at a time when millions of people are working from home using a variety of online platforms and software. Cybercriminals are well aware of this and have begun to exploit trusted brands like WebEx to deliver malicious emails to users.

Video conferencing software has been targeted by attackers in the past but the rapid influx of remote workers during the global pandemic makes for easy prey for hackers. Cofense anticipates that there will continue to be an increase in remote work phishing in the months to come.

WebEx phishing campaign

This latest phishing campaign begins with potential victims receiving an email with subject lines such as “Critical Update” or “Alert” from the spoofed address “meetings@webex.com”. The body of the email explains that there is a vulnerability that the user must patch or risk allowing an unauthenticated user to install a “Docker container with high privileges on the system”.

This quite clever on the part of the hackers as they have spoofed a legitimate business service and have even included links to a write-up for a legitimate vulnerability tracked as CVE-2016-9223. To make their email more compelling, the linked article uses the same wording as the email.

The attackers have also created a fake URL (https://globalpagee-prod-webex.com/signin) which, at first glance, appears quite similar to the actual Cisco WebEx URL (http://globalpage-prod.webex.com/sigin). However, upon further inspection, it is clear that the spoofed URL contains an extra "e" and uses a dash instead of a period at the end.

To carry out this attack, the hackers registered a fraudulent domain through Public Domain Registry just a few days before sending out their credential phishing email. They even went as far as to obtain a SSL certificate for their fraudulent domain to make it appear more legitimate. Once again though there is a discrepancy though, as the official Cisco certificate is verified by HydrantID while the attacker's certificate is through Sectigo Limited.

The phishing page then redirects users to a fake Cisco WebEx login page that is visually identical to the real thing. Once a user logs in, the attackers then have their WebEx credentials which could be sold on the dark web or used to launch additional attacks against them or their organization.

Working from home certainly has its perks but remote workers must remain vigilant to avoid falling victim to this and the many other scams making their way around the internet at the moment.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.