Emails purporting to be a Cisco “critical security advisory” are actually part of a phishing campaign trying to steal victims’ Webex credentials.

An ongoing phishing campaign is reeling in victims with a recycled Cisco security advisory that warns of a critical vulnerability. The campaign urges victims to “update,” only to steal their credentials for Cisco’s Webex web conferencing platform instead.

The campaign is looking to leverage the wave of remote workers who, in the midst of the coronavirus pandemic have come to rely on online conferencing tools like Webex (as well as Zoom and other platforms). With this upward spike in online meetings, compromised Webex credentials could be a cybercriminal’s golden ticket into web conference calls where sensitive files and data are shared (among other malicious activities).

“Targeting users of teleconferencing brands is nothing new,” said Ashley Tran with Cofense’s phishing defense center, in a Thursday analysis. “But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.”



Researchers said the phishing emails are being sent with various attention-grabbing subject lines, such as “Critical Update” or “Alert!” and come from the spoofed email address, “meetings@webex[.]com”.

Researchers told Threatpost, this was a mass “spray and pray” phishing campaign with “numerous end users” receiving and reporting the email from several several industries, including the healthcare and financial spaces.

“With the subject and mail content combined, this may [engage] users’ curiosity enough to entice them click in order to take the requested action,” said Tran.

The body of the email embeds content from a real Cisco Security Advisory from December 2016, along with Cisco Webex branding. The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems; at the time of disclosure in 2016, it was being exploited in the wild. However, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release (also in 2016).

“In this scenario, the threat actor has spoofed a legitimate business service and explained a problem with their software, prompting even non-technical readers to read further,” said the Confense researcher. “The threat actor even links to a legitimate write-up for the vulnerability, found at the URL embedded into the text ‘CVE-2016-9223.'”

The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and points them to a “Join” button to learn more about the “update.”

The attackers behind this campaign appear to be meticulous in the details, right down to the URL linked to the “Join” button. If more cautious email recipients hover over the button to check the URL, they’ll find the URL [hxxps://globalpagee-prod-webex[.]com/signin] to be strikingly similar to the legitimate Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].

The Landing Page

Victims who click on the “Join” button are redirected to the phishing landing page, which is identical to the legitimate Cisco WebEx login page. Researchers said one small difference is that when email addresses are typed into the legitimate Webex page, entries are checked to verify if there are associated accounts. On the phishing page, meanwhile, any email format entry takes the recipient directly to the next page to request their password.

The threat actor registered the fraudulent domain tied to the landing page through the Public Domain Registry just days before sending out the phishing emails. The fraudulent domain was still live and active as of Wednesday, researchers said.

“The attacker has even gone as far as obtaining a SSL certificate for their fraudulent domain to gain further trust from end users,” researchers said. “While the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited. Regardless of who verified the attacker’s certificate, the result is the same – a lock to the left of its URL that renders the email legitimate the eyes of many users.”

Researchers warn users to stay on the lookout for bad actors spoofing web conferencing and virtual collaboration apps. In general, attackers are taking advantage of the panic around the coronavirus with phishing emails around financial relief, promises of a cure and symptom information details.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.