Login
Many organizations β including quite a few Fortune 500 firms β have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organizationβs employees, customers or partners to phishing and other social engineering attacks.
Image: @Pressmaster on Shutterstock.
At issue is the Zoom Personal Meeting ID (PMI), which is a permanent identification number linked to your Zoom account and serves as your personal meeting room available around the clock. The PMI portion forms part of each new meeting URL created by that account, such as:
zoom.us/j/5551112222
Zoom has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:
zoom.us/j/5551112222/pwd=jdjsklskldklsdksdklsdkll
Using your PMI to set up new meetings is convenient, but of course convenience often comes at the expense of security. Because the PMI remains the same for all meetings, anyone with your PMI link can join any ongoing meeting unless you have locked the meeting or activated Zoomβs Waiting Room feature.
Including an encrypted passcode in the Zoom link definitely makes it easier for attendees to join, but it might open your meetings to unwanted intruders if not handled responsibly. Particularly if that Zoom link is somehow indexed by Google or some other search engine, which happens to be the case for thousands of organizations.
Armed with one of these links, an attacker can create meetings and invite others using the identity of the authorized employee. And many companies using Zoom have made it easy to find recently created meeting links that include encrypted passcodes, because they have dedicated subdomains at Zoom.us.
Using the same method, KrebsOnSecurity also found working Zoom meeting links for The National Football League (NFL), LinkedIn, Oracle, Humana, Disney, Warner Bros, and Uber. And that was from just a few minutes of searching. And to illustrate the persistence of some of these Zoom links, Archive.org says several of the links were first created as far back as 2020 and 2021.
KrebsOnSecurity received a tip about the Zoom exposures from Charan Akiri, a researcher and security engineer at Reddit. In April 2023, this site featured research by Akiri showing that many public Salesforce websites were leaking private data, including banks and healthcare organizations (Akiri said Salesforce also had these open Zoom meeting links before he notified them).
The Zoom links that exposed working meeting rooms all had enabled the highlighted option.
Akiri said the misuse of PMI links, particularly those with passcodes embedded, can give unauthorized individuals access to meetings.
βThese one-click links, which are not subject to expiration or password requirement, can be exploited by attackers for impersonation,β Akiri said. βAttackers exploiting these vulnerabilities can impersonate companies, initiating meetings unknowingly to users. They can contact other employees or customers while posing as the company, gaining unauthorized access to confidential information, potentially for financial gain, recruitment, or fraudulent advertising campaigns.β
Akiri said he built a simple program to crawl the web for working Zoom meeting links from different organizations, and so far it has identified thousands of organizations with these perfectly functional zombie Zoom links.
According to Akiri, here are several tips for using Zoom links more safely:
Donβt Use Personal Meeting ID for Public Meetings: Your Personal Meeting ID (PMI) is the default meeting that launches when you start an ad hoc meeting. Your PMI doesnβt change unless you change it yourself, which makes it very useful if people need a way to reach you. But for public meetings, you should always schedule new meetings with randomly generated meeting IDs. That way, only invited attendees will know how to join your meeting. You can also turn off your PMI when starting an instant meeting in your profile settings.
Require a Passcode to Join: You can take meeting security even further by requiring a passcode to join your meetings. This feature can be applied to both your Personal Meeting ID, so only those with the passcode will be able to reach you, and to newly scheduled meetings. To learn all the ways to add a passcode for your meetings, see this support article.
Only Allow Registered or Domain Verified Users: Zoom can also give you peace of mind by letting you know exactly who will be attending your meeting. When scheduling a meeting, you can require attendees to register with their email, name, and custom questions. You can even customize your registration page with a banner and logo. By default, Zoom also restricts participants to those who are logged into Zoom, and you can even restrict it to Zoom users whose email address uses a certain domain.
Further reading: How to Keep Uninvited Guests Out of Your Zoom Meeting
Update 12:33 p.m.: The list of affected organizations was updated, because several companies listed apparently only exposed links that let anyone connect to existing, always-on meeting rooms β not initiate and completely control a Zoom meeting. The real danger with the zombie links described above is that anyone can find and use them to create new meetings and invite others.
One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.
KrebsOnSecurity recently heard from a reader who was puzzled over an email heβd just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.
The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of β.pdf,β but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.
The file included in this phishing scam uses whatβs known as a βright-to-left overrideβ or RLO character. RLO is a special character within unicode β an encoding system that allows computers to exchange information regardless of the language used β that supports languages written from right to left, such as Arabic and Hebrew.
Look carefully at the screenshot below and youβll notice that while Microsoft Windows says the file attached to the phishing message is named βlme.pdf,β the full filename is βfdp.emlβ spelled backwards. In essence, this is a .eml file β an electronic mail format or email saved in plain text β masquerading as a .PDF file.
βThe email came through Microsoft Office 365 with all the detections turned on and was not caught,β the reader continued. βWhen the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to β___fdp.eml.β One would think Microsoft would have had plenty of time by now to address this.β
Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasnβt a new trick.
Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the βRestore Messagesβ link there bounces you through an open redirect on LinkedIn before forwarding to the phishing webpage.
As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedinβs parent firm Microsoft).
The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.
In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.
According to the latest figures from Check Point Software, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.
An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.
If youβre unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually β ideally, using a browser bookmark to avoid potential typosquatting sites.
Happy World Social Media Day! Todayβs a day about celebrating the life-long friendships youβve made thanks to social media. Social media was invented to help users meet new people with shared interests, stay in touch, and learn more about world. Facebook, Twitter, Instagram, Reddit, TikTok, LinkedIn, and the trailblazing MySpace have all certainly succeeded in those aims.Β
This is the first World Social Media Day where artificial intelligence (AI) joins the party. AI has existed in many forms for decades, but itβs only recently that AI-powered apps and tools are available in the pockets and homes of just about everyone. ChatGPT, Voice.ai, DALL-E, and others are certainly fun to play with and can even speed up your workday.Β Β
While scrolling through hilarious videos and commenting on your friendsβ life milestones are practically national pastimes, some people are making it their pastime to fill our favorite social media feeds with AI-generated content. Not all of it is malicious, but some AI-generated social media posts are scams.Β Β
Here are some examples of common AI-generated content that youβre likely to encounter on social media.Β
Have you scrolled through your video feed and come across voices that sound exactly like the current and former presidents? And are they playing video games together? Comic impersonators can be hilariously accurate with their copycatting, but the voice track to this video is spot on. This series of videos, created by TikToker Voretecks, uses AI voice generation to mimic presidential voices and pit them against each other to bring joy to their viewers.1 In this case, AI-generated voices are mostly harmless, since the videos are in jest. Context clues make it obvious that the presidents didnβt gather to hunt rogue machines together.Β
AI voice generation turns nefarious when itβs meant to trick people into thinking or acting a certain way. For example, an AI voiceover made it look like a candidate for Chicago mayor said something inflammatory that he never said.2 Fake news is likely to skyrocket with the fierce 2024 election on the horizon. Social media sites, especially Twitter, are an effective avenue for political saboteurs to spread their lies far and wide to discredit their opponent.Β
Finally, while it might not appear on your social media feed, scammers can use what you post on social media to impersonate your voice. According to McAfeeβs Beware the Artificial Imposters Report, a scammer requires only three seconds of audio to clone your voice. From there, the scammer may reach out to your loved ones with extremely realistic phone calls to steal money or sensitive personal information. The report also found that of the people who lost money to an AI voice scam, 36% said they lost between $500 and $3,000.Β
To keep your voice out of the hands of scammers, perhaps be more mindful of the videos or audio clips you post publicly. Also, consider having a secret safe word with your friends and family that would stump any would-be scammer.Β Β
Deepfake, or the alteration of an existing photo or video of a real person that shows them doing something that never happened, is another tactic used by social media comedians and fake news spreaders alike. In the case of the former, one company founded their entire business upon deepfake. The company is most famous for its deepfakes of Tom Cruise, though itβs evolved into impersonating other celebrities, generative AI research, and translation.3Β Β
When you see videos or images on social media that seem odd, look for a disclaimer β either on the post itself or in the posterβs bio β about whether the poster used deepfake technology to create the content. A responsible social media user will alert their audiences when the content they post is AI generated.Β Β
Again, deepfake and other AI-altered images become malicious when they cause social media viewers to think or act a certain way. Fake news outlets may portray a political candidate doing something embarrassing to sway voters. Or an AI-altered image of animals in need may tug at the heartstrings of social media users and cause them to donate to a fake fundraiser. Deepfake challenges the saying βseeing is believing.βΒ
ChatGPT is everyoneβs favorite creativity booster and taskmaster for any writing chore. It is also the new best friend of social media bot accounts. Present on just about every social media platform, bot accounts spread spam, fake news, and bolster follower numbers. Bot accounts used to be easy to spot because their posts were unoriginal and poorly written. Now, with the AI-assisted creativity and excellent sentence-level composition of ChatGPT, bot accounts are sounding a lot more realistic. And the humans managing those hundreds of bot accounts can now create content more quickly than if they were writing each post themselves.Β
In general, be wary when anyone you donβt know comments on one of your posts or reaches out to you via direct message. If someone says youβve won a prize but you donβt remember ever entering a contest, ignore it.Β
With the advent of mainstream AI, everyone should approach every social media post with skepticism. Be on the lookout for anything that seems amiss or too fantastical to be true. And before you share a news item with your following, conduct your own background research to assert that itβs true.Β
To protect or restore your identity should you fall for any social media scams, you can trust McAfee+. McAfee+ monitors your identity and credit to help you catch suspicious activity early. Also, you can feel secure in the $1 million in identity theft coverage and identity restoration services.Β
Social media is a fun way to pass the time, keep up with your friends, and learn something new. Donβt be afraid of AI on social media. Instead, laugh at the parodies, ignore and report the fake news, and enjoy social media confidently!Β
1Business Insider, βAI-generated audio of Joe Biden and Donald Trump trashtalking while gaming is taking over TikTokβΒ Β
2The Hill, βThe impending nightmare that AI poses for media, electionsβΒ
3Metaphysic, βCreate generative AI video that looks realβΒ
The post Be Mindful of These 3 AI Tricks on World Social Media Day appeared first on McAfee Blog.
Nikita Kislitsin, formerly the head of network security for one of Russiaβs top cybersecurity firms, was arrested last week in Kazakhstan in response to 10-year-old hacking charges from the U.S. Department of Justice. Experts say Kislitsinβs prosecution could soon put the Kazakhstan government in a sticky diplomatic position, as the Kremlin is already signaling that it intends to block his extradition to the United States.
Nikita Kislitsin, at a security conference in Russia.
Kislitsin is accused of hacking into the now-defunct social networking site Formspring in 2012, and conspiring with another Russian man convicted of stealing tens of millions of usernames and passwords from LinkedIn and Dropbox that same year.
In March 2020, the DOJ unsealed two criminal hacking indictments against Kislitsin, who was then head of security at Group-IB, a cybersecurity company that was founded in Russia in 2003 and operated there for more than a decade before relocating to Singapore.
Prosecutors in Northern California indicted Kislitsin in 2014 for his alleged role in stealing account data from Formspring. Kislitsin also was indicted in Nevada in 2013, but the Nevada indictment does not name his alleged victim(s) in that case.
However, documents unsealed in the California case indicate Kislitsin allegedly conspired with Yevgeniy Nikulin, a Russian man convicted in 2020 of stealing 117 million usernames and passwords from Dropbox, Formspring and LinkedIn in 2012. Nikulin is currently serving a seven-year sentence in the U.S. prison system.
As first reported by Cyberscoop in 2020, a trial brief in the California investigation identified Nikulin, Kislitsin and two alleged cybercriminals β Oleg Tolstikh and Oleksandr Vitalyevich Ieremenko β as being present during a 2012 meeting at a Moscow hotel, where participants allegedly discussed starting an internet cafΓ© business.
A 2010 indictment out of New Jersey accuses Ieremenko and six others with siphoning nonpublic information from the U.S. Securities & Exchange Commission (SEC) and public relations firms, and making $30 million in illegal stock trades based on the proprietary information they stole.
[The U.S. Secret Service has an outstanding $1 million reward for information leading to the arrest of Ieremenko (ΠΠ»Π΅ΠΊΡΠ°Π½Π΄Ρ ΠΠΈΡΠ°Π»ΡΠ΅Π²ΠΈΡ ΠΡΠ΅ΠΌΠ΅Π½ΠΊΠΎ), who allegedly went by the hacker handles βZl0mβ and βLamarez.β]
Kislitsin was hired by Group-IB in January 2013, nearly six months after the Formspring hack. Group-IB has since moved its headquarters to Singapore, and in April 2023 the company announced it had fully exited the Russian market.
In a statement provided to KrebsOnSecurity, Group-IB said Mr. Kislitsin is no longer an employee, and that he now works for a Russian organization called FACCT, which stands for βFight Against Cybercrime Technologies.β
βDmitry Volkov, co-founder and CEO, sold his stake in Group-IBβs Russia-based business to the companyβs local management,β the statement reads. βThe stand-alone business in Russia has been operating under the new brand FACCT ever since and will continue to operate as a separate company with no connection to Group-IB.β
FACCT says on its website that it is a βRussian developer of technologies for combating cybercrime,β and that it works with clients to fight targeted attacks, data leaks, fraud, phishing and brand abuse. In a statement published online, FACCT said Kislitsin is responsible for developing its network security business, and that he remains under temporary detention in Kazakhstan βto study the basis for extradition arrest at the request of the United States.β
βAccording to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than 10 years ago when Nikita worked as a journalist and independent researcher,β FACCT wrote.
From 2006 to 2012, Kislitsin was editor-in-chief of βHacker,β a popular Russian-language monthly magazine that includes articles on information and network security, programming, and frequently features interviews with and articles penned by notable or wanted Russian hackers.
βWe are convinced that there are no legal grounds for detention on the territory of Kazakhstan,β the FACCT statement continued. βThe company has hired lawyers who have been providing Nikita with all the necessary assistance since last week, and we have also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan to assist in protecting our employee.β
FACCT indicated that the Kremlin has already intervened in the case, and the Russian government claims Kislitsin is wanted on criminal charges in Russia and must instead be repatriated to his homeland.
βThe FACCT emphasizes that the announcement of Nikita Kislitsin on the wanted list in the territory of the Russian Federation became known only today, June 28, 6 days after the arrest in Kazakhstan,β FACCT wrote. βThe company is monitoring developments.β
The Kremlin followed a similar playbook in the case ofΒ Aleksei Burkov, a cybercriminal who long operated two of Russiaβs most exclusive underground hacking forums. Burkov was arrested in 2015 by Israeli authorities, and the Russian government fought Burkovβs extradition to the U.S. for four years β even arresting and jailing an Israeli woman on phony drug charges to force a prisoner swap.
That effort ultimately failed: Burkov was sent to America, pleaded guilty, and was sentenced to nine years in prison.
Alexei Burkov, seated second from right, attends a hearing in Jerusalem in 2015. Image: Andrei Shirokov / Tass via Getty Images.
Arkady Bukh is a U.S. attorney who has represented dozens of accused hackers from Russia and Eastern Europe who were extradited to the United States over the years. Bukh said Moscow is likely to turn the Kislitsin case into a diplomatic time bomb for Kazakhstan, which shares an enormous border and a great deal of cultural ties with Russia. A 2009 census found that Russians make up about 24 percent of the population of Kazakhstan.
βThat would put Kazakhstan at a crossroads to choose between unity with Russia or going with the West,β Bukh said. βIf that happens, Kazakhstan may have to make some very unpleasant decisions.β
Group-IBβs exodus from Russia comes as its former founder and CEO Ilya Sachkov remains languishing in a Russian prison, awaiting a farcical trial and an inevitable conviction on charges of treason. In September 2021, the Kremlin issued treason charges against Sachkov, although it has so far refused to disclose any details about the allegations.
Sachkovβs pending treason trial has been the subject of much speculation among denizens of Russian cybercrime forums, and the consensus seems to be that Sachkov and Group-IB were seen as a little too helpful to the DOJ in its various investigations involving top Russian hackers.
Indeed, since its inception in 2003, Group-IBβs researchers have helped to identify, disrupt and even catch a number of high-profile Russian hackers, most of whom got busted after years of criminal hacking because they made the unforgivable mistake of stealing from their own citizens.
When the indictments against Kislitsin were unsealed in 2020, Group-IB issued a lengthy statement attesting to his character and saying they would help him with his legal defense. As part of that statement, Group-IB noted that βrepresentatives of the Group-IB company and, in particular, Kislitsin, in 2013, on their own initiative, met with employees of the US Department of Justice to inform them about the research work related to the underground, which was carried out by Kislitsin in 2012.β
Python 3 script to dump company employees from LinkedIn APIο¬
LinkedInDumper is a Python 3 script that dumps employee data from the LinkedIn social networking platform.
The results contain firstname, lastname, position (title), location and a user's profile link. Only 2 API calls are required to retrieve all employees if the company does not have more than 10 employees. Otherwise, we have to paginate through the API results. With the --email-format CLI flag one can define a Python string format to auto generate email addresses based on the retrieved first and last name.
LinkedInDumper talks with the unofficial LinkedIn Voyager API, which requires authentication. Therefore, you must have a valid LinkedIn user account. To keep it simple, LinkedInDumper just expects a cookie value provided by you. Doing it this way, even 2FA protected accounts are supported. Furthermore, you are tasked to provide a LinkedIn company URL to dump employees from.
FreshRSS 
li_at session cookie value e.g. via developer toolsli_at or temporarily during runtime via the CLI flag --cookie
usage: linkedindumper.py [-h] --url <linkedin-url> [--cookie <cookie>] [--quiet] [--include-private-profiles] [--email-format EMAIL_FORMAT]
options:
-h, --help show this help message and exit
--url <linkedin-url> A LinkedIn company url - https://www.linkedin.com/company/<company>
--cookie <cookie> LinkedIn 'li_at' session cookie
--quiet Show employee results only
--include-private-profiles
Show private accounts too
--email-format Python string format for emails; for example:
[1] john.doe@example.com > '{0}.{1}@example.com'
[2] j.doe@example.com > '{0[0]}.{1}@example.com'
[3] jdoe@example.com > '{0[0]}{1}@example.com'
[4] doe@example.com > '{1}@example.com'
[5] john@example.com > '{0}@example.com'
[6] jd@example.com > '{0[0]}{1[0]}@example.com'
docker run --rm l4rm4nd/linkedindumper:latest --url 'https://www.linkedin.com/company/apple' --cookie <cookie> --email-format '{0}.{1}@apple.de'
# install dependencies
pip install -r requirements.txt
python3 linkedindumper.py --url 'https://www.linkedin.com/company/apple' --cookie <cookie> --email-format '{0}.{1}@apple.de'
The script will return employee data as semi-colon separated values (like CSV):
βββ βββ ββββ β ββ βββββββββ βββββββ βββ ββββ β βββββββ β ββ ββββ βββββ ββββββ ββββββ ββββββ
ββββ ββββ ββ ββ β βββββ ββ β ββββ βββββββ ββ ββ β ββββ βββ ββ ββββββββββ& #9600; βββββββ βββββ β βββ β βββ
ββββ βββββββ ββ βββββββββ ββββ βββ βββββββββ ββ ββββββ βββββ βββββββ ββββββββ ββββββββ βββ βββ β
ββββ ββββββββ ββββββββ ββ βββ β ββββ β&# 9617;βββββββ βββββββββ ββββ βββββββ βββ βββββββ ββββ β βββββββ
ββββββββββββββββ ββββββββ ββββββββββββββββ ββββββββ βββββββββββ ββββββββ ββββ ββββββββ β βββββββ& #9618;ββββ ββββ
β βββ βββ β ββ β β β ββ ββββ ββ β βββ β ββ β ββ β β βββ β ββββ β β β ββ β βββββ β βββ ββ ββ ββ ββββ
β β β β β ββ ββ β βββ ββ ββ β β β β β β β ββ ββ β ββ β β β ββββ β β β β βββ β β β β ββ β ββ
β β β β β β β β ββ β β β β β β β β β β β β β βββ β β β β ββ β ββ β
β β β β β β β β β β β β β β β β β
β β β by LRVT
[i] Company Name: apple
[i] Company X-ID: 162479
[i] LN Employees: 1000 employees found
[i] Dumping Date: 17/10/2022 13:55:06
[i] Email Format: {0}.{1}@apple.de
Firstname;Lastname;Email;Position;Gender;Location;Profile
Katrin;Honauer;katrin.honauer@apple.com;Software Engineer at Apple;N/A;Heidelberg;https://www.linkedin.com/in/katrin-honauer
Raymond;Chen;raymond.chen@apple.com;Recruiting at Apple;N/A;Austin, Texas Metropolitan Area;https://www.linkedin.com/in/raytherecruiter
[i] Successfully crawled 2 unique apple employee(s). Hurray ^_-
LinkedIn will allow only the first 1,000 search results to be returned when harvesting contact information. You may also need a LinkedIn premium account when you reached the maximum allowed queries for visiting profiles with your freemium LinkedIn account.
Furthermore, not all employee profiles are public. The results vary depending on your used LinkedIn account and whether you are befriended with some employees of the company to crawl or not. Therefore, it is sometimes not possible to retrieve the firstname, lastname and profile url of some employee accounts. The script will not display such profiles, as they contain default values such as "LinkedIn" as firstname and "Member" in the lastname. If you want to include such private profiles, please use the CLI flag --include-private-profiles. Although some accounts may be private, we can obtain the position (title) as well as the location of such accounts. Only firstname, lastname and profile URL are hidden for private LinkedIn accounts.
Finally, LinkedIn users are free to name their profile. An account name can therefore consist of various things such as saluations, abbreviations, emojis, middle names etc. I tried my best to remove some nonsense. However, this is not a complete solution to the general problem. Note that we are not using the official LinkedIn API. This script gathers information from the "unofficial" Voyager API.
