In our continuing efforts to keep our clients apprised of emerging cyber threats associated with COVID-19 and remote workplaces, we draw your attention to cyber risks associated with using communications platforms. Researchers recently uncovered several potential network security and privacy issues associated with virtual meeting conferencing software.
Cyber Security Threats: Virtual Meeting Bombing
Hackers have infiltrated web conferences with a tactic known as “Bombing”. This occurs when a malicious actor interrupts web conferences as uninvited guests. They enter web conferences and post disturbing graphic images to disrupt communications.
Zoom-based Social Engineering Schemes
A recently published a report* reveals that 1,700 domains associated with the one of the largest virtual meeting softwares have been newly registered since January 2020. Of those 1,700 domains, the report state that 4 percent contain suspicious characteristics. This is indicative of the start of formal phishing campaigns with virtual meeting-related fraudulent emails. In addition, the report identified malicious files with names mimicking naming conventions from virtual meeting softwares. If malicious files are downloaded on a device, the files may install software that enables attackers to download additional malware onto the device.
Data Collection & Potential Privacy Violations
According to the New York Times **, New York Attorney General Letitia James began an inquiry into data collection and security practices that relate to potential vulnerabilities that could, "enable malicious third parties to, among other things, gain surreptitious access to consumer webcams."
In addition Motherboard reported *** that software contained within mobile apps for virtual meetings was sending user data to social media platforms, whether you had a social media account or not. The virtual meeting provider responded, saying it was removing the tracking software.
FBI Guidance
In response to these threats a recent FBI warning was issued that was specific to online classroom hacking. They issued the following guidance ****
- Do not make meetings public. Utilize two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen sharing options. Change screen sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications.
- Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Victims of a teleconference hijacking, or any cyber-crime, can report it to the FBI’s Internet Crime Complaint Center at ic3.gov. Additionally, if you receive a specific threat during a teleconference, please report it to us at tips.fbi.gov or call the FBI Boston Division at (857) 386-2000.
Sources:
* https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/
** https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
*** https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account
**** https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
Gallagher provides insurance, risk management and consultation services for our clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general informational purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers control.
Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.