Fraudsters Use Zoom to Hijack Entrepreneurs' Google and Telegram Accounts

F6 reports a new method of hijacking accounts targeting entrepreneurs and managers. The attackers pose as potential clients interested in the services of the victim's company.

Under the pretext of discussing the details of cooperation, the scammer offers to hold a video meeting on Zoom, citing the convenience of his business version of the platform. After receiving consent, he sends a phishing link that imitates an invitation to Zoom.

After clicking on the link, the user sees a page where he is asked to solve several captchas in succession, which is probably done to bypass security systems. Then he is redirected to a fake Google account login page. After entering the login and password, the phishing form asks for a confirmation code from an SMS or notification.

"The scenario repeats the classic tactics of fraudsters - correspondence in a messenger, and then a phishing link, and a minimal update of the legend - a transition to attacks under the guise of potential clients with a fake link to Zoom - makes the scheme effective. At the same time, an obviously fake link to Zoom, the need to enter a login and password, even if they were saved in the browser, a suspicious captcha, a Telegram code - all this should make the victim think."

Maria Sinitsyna, Senior Analyst, Digital Risk Protection Department, F6

At the same time, the attacker, continuing the communication in Telegram, exerts psychological pressure, asking to hurry up with entering the code. Having received it, the scammers get full access not only to the Google account, but also to the linked Telegram account.

Once accounts are compromised, criminals first try to gain access to linked crypto wallets and exchanges, as well as looking for confidential information, banking data, and other valuable data.