An ongoing phishing campaign is targeting remote workers who, due to ongoing covid -19 are relying on conferencing tools like Webex. Hackers are targeting victims with mails claiming to be a Cisco critical security advisory and asking them to update, to steal their Webex credentials.
The malicious email uses content from the advisory for CVE-2016-9223, a legitimate vulnerability that was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release in 2016.
Experts say the phishing emails are being sent with various attention-grabbing subject lines, such as “Critical Update” or “Alert!” and come from the spoofed email address, “meetings@webex[.]com”.
Several industries, including the healthcare and financial have reportedly received emails asking them to update the version of Cisco Meetings Desktop App for Windows and press a Join button to learn more about the update.
The URL looks legitimate and is identical to the legitimate Cisco WebEx login page, for example instead of prod.webex, the malicious link says prod-webex, an unsuspecting user may click the join button and is directly redirected to the phishing landing page to request their password.
To look legitimate the attackers have also obtained SSL certificate, though the official Cisco certificate is verified by HydrantID, the attacker’s certificate is verified by Sectigo Limited.