'TurkeyBombing' Phishing Scam

We live in precarious and unprecedented times where our daily lives have been upended as a consequence of the global pandemic. Large segments of people have been forced to move numerous aspects of their usual activities to the online realm creating a significant opportunity for cybercriminals. Earlier in 2020, infosec researchers already uncovered several instances where threat actors took advantage of the Zoom Video Communications platform to disrupt online meetings in both work environments, as well as people connecting with their families and relatives. 

A far more sinister campaign, however, was unleashed around Thanksgiving and could continue for a while. Named TurkeyBombing, it targeted millions of potential victims with thousands that have already fallen for the tactic. The cybercriminals' goal is to obtain the Microsoft credentials of unsuspecting Zoom users who may have used the platform over the long Thanksgiving weekend.

Hackers Take Advantage of Thanksgiving to Conduct Phishing Attack

The attack begins with the hackers disseminating countless phishing emails. The misleading emails state that the targeted user has received a video conference invitation and contain a link that is supposed to take the user to the conference call. Instead, the corrupted link redirects to a fake Microsoft login page hosted on Appspot.com. This is a legitimate domain that software developers often use to host Web applications in a Google-managed data center.

The login page is far from legitimate, though, as it harvests any credentials that the victim inputs. To further decrease the users' chances of noticing that something is amiss, the fake login page pre-populates the field asking for an email address with the user's email. It then asks for the credentials of an associated Microsoft account. In addition to collecting all of these credentials, the landing page also records the victim's IP address and geolocation. If the hackers receive a Microsoft privileged account's credentials, they will try to access it through an Internet Message Access Protocol (IMAP) credential verification.

So far, it has been confirmed that the cybercriminals have managed to obtain over 3600 unique email addresses from victims. With millions of people trying to see their loved ones over the Thanksgiving weekend resulting in several millions of video calls, the actual number of compromised accounts could be much bigger.