Zoom passwords for sale on the Dark Web – “ten-a-penny” by all accounts

You’ve almost certainly heard of Zoom over the past few weeks – Zoom, more properly Zoom Video Communications, Inc., lets you run remote meetings and webinars, with audio and video for all participants, right from your browser. The service is surprisingly easy to use, so the company has seen demand for its services surge during the coronavirus lockdown. With journalists, teachers, personal trainers, yoga classes, families, businesses and even places of worship “going virtual” to keep people in contact even though physical meetups are no longer allowed, Zoom bandwith usage has expanded enormously.

As you can imagine, this expansion hasn’t been hassle-free.

Unfortunately, the biggest problems that many new users seem to be having with Zoom have nothing to do with Zoom’s programming or its service – in other words, they’re mistakes that Zoom itself can’t easily stop people from making. The first big-news story about anti-social behaviour in the world of Zoom added a new word to the English language – ZoomBombing. That’s where someone opens up a meeting to anyone who’d like to attend, typically as an open-hearted chance for people to join in and hang out during the lockdown.

…only to find that one or more of the “participants” joined in specifically to put the “ax” into “chillaxing”.

ZoomBombers typically start out by sharing what seems like an innocent feed from their webcam, only to “upgrade” their “contribution” to the meeting by suddenly and unexpectedly sharing their own screens after filling then with… well, you can imagine the sort of stuff that might get shoved in your face.

One poor journalist recently ran an open-to-all “Happy Hour” Zoom call and invited his own parents along as guests of honour – only for his session to get ZoomBombed with hard-core porn, and for the bomber to keep returning with new aliases after being kicked out. We published a guide entitled 5 things you can do today to make Zooming safer that gives you some easy-to-follow tips on how to avoid unpleasant surprises before, during or after your online meetings – simply put, how to keep the good stuff in, and the bad guys out. But there’s a sixth tip we need to add, one that we were worried might be repetitious if we’d included it last time, but that we’re going to add now even though you’ve heard it umpteen times before.

We’re sure you can guess what it is: PICK PROPER PASSWORDS!

Ten-a-penny, or thereabouts

A boutique cybersecurity intelligence firm called Cyble out of the Asia-Pacific region recently proved to itself, and to everyone else, that many Zoom newcomers simply aren’t taking care when they join the service.

Thousands, perhaps hundreds of thousands, of new adopters of Zoom are apparently as good as letting the crooks in for free by using passwords that have already been hacked or cracked elsewhere.

Fascinatingly, Zoom accounts don’t seem to be worth much to cybercrooks – or, at least, these ones weren’t worth much.

According to one report, Cyble claimed to have acquired 530,000 accounts and passwords from a Russian-speaking hacker at a rate that was almost literally ten-a-penny.

(The figure we saw was $0.002 each; if we assume Australian dollars because Cyble’s Twitter account says @AuCyble, that’s about one-tenth of a British penny. If we assume US dollars and American pennies, it’s a straight-up rate of five-a-penny – still astonishingly cheap.)

Of course, some or many of those passwords may be wrong, or old, or even just made up by the crooks, but Cyble has told reporters it tried a small sample of them and at least some did work.

We haven’t seen the actual passwords, but from the price and the size of the list we’re assuming that these passwords were already in the hands of the crooks, probably from an old data breach where passwords were exposed from another site, or stolen by malware, possibly months or even years ago. In other words, it’s fair to say that the only “hacking” here is that crooks who already knew the passwords for existing accounts went and tried them out on Zoom as well. After all, for many people, a Zoom password is the most recent “new password” they’ve had to choose because Zoom is the most recent new account they’ve set up…

…and therefore anyone who’s reused an old password lately has kind-of “pre-hacked” themselves.

What to do?

Don’t reuse passwords.

One account, one password! (If you find that a hassle, and you probably do, get a password manager to keep your passwords under control.) Seriously, folks – tell your friends, tell your family, tell your colleagues, tell your boss, even if you’ve told them all 100 times before. Password reuse is a behaviour that we simply have to eliminate, especially now we’re all signing up for new accounts in a hurry becsuse of the coronavirus pandemic. Using old passwords again makes things far too easy for cybercriminals – they know that we’re creatures of habit so they routinely and regularly try old passwords on new accounts. In fact, the practice of trying old passwords on lots of accounts is so common it even has a name of its own: credential stuffing. And friends don’t let friends get stuffed.

―Paul Ducklin, Principal Research Scientist, Sophos, CT Bureau