Webex vulnerabilities are being exploited by hackers using simple attacks

The Phishing Defense Center (PDC) has revealed the detection of a new campaign designed to extract login credentials from Cisco WebEx users by abusing an application-included security tool.

To the surprise of the cybersecurity community, the Secure Email Gateway tool was unable to detect this malicious activity, launched at the very moment when millions of people are using remote communication tools in the face of the inability to move to their workplaces. Although Cisco WebEx has previously been the subject of cyberattacks, the increase in work from home due to the global pandemic has favored groups of threat actors seeking to compromise the confidential information of users of this platform. Even PDC anticipates that these reports will continue to increase over the coming months.

The messages in these campaigns are characterized by three key factors:

  • Contain alleged communications issued by some authority
  • Messages offer purported offers or promotions that, according to experts, are too good to be true
  • Users with less cybersecurity knowledge are more likely to fall into the trap

In this phishing campaign, victims receive an email with a subject related to “Critical Update” or “Security Alert” topics. 

Cybersecurity specialists believe that hackers have devised a very shrewd campaign, as they have even falsified a legitimate commercial service and used links to a review of a legitimate vulnerability, identified as CVE-2016-9223. To make your message more convincing, the article contained in the link uses the same wording as email.

In addition, hackers created a fake URL (https://globalpagee-prod-webex.com/signin) quite similar to the actual Cisco WebEx URL (http://globalpage-prod.webex.com/sigin). When parsing carefully, it is obvious that the forged URL contains an additional “e” and uses a hyphen instead of a point at the end.

To complete the attack, threat actors registered a fraudulent domain using the DNS system, even obtaining an SSL certificate for the domain. This phishing site redirects users to a fake Cisco WebEx login page remarkably similar to the actual page. Once a user logs in, attackers extract their WebEx credentials that can be sold on dark web or used to launch additional attacks against the target user.