Zoom mishaps have provided us with much comic relief while we’re trying to adjust to safe meetings online. We’ll never forget the lawyer who wasn’t really a cat and the boss who was a potato. Zoom backgrounds weren’t left out of the fun either. They gave us laughs, like the student who used Danny DeVito’s head as his background.

But your employees’ Zoom backgrounds can pose a higher risk than just your company becoming the latest internet fodder. Personal information shown during a Zoom call can actually be the cause of a costly and damaging cybersecurity attack. Look at how keeping an eye on your background contributes to safe meetings online.

Is Zoom Video Conferencing Secure?

Over the past year, you’ve likely coached employees on creating a professional-looking Zoom backdrop — no views of bedrooms, toilets or laundry piles. But the setting that many choose for a professional backdrop, with a view of the living room or a bookcase, often includes photos and memorabilia. Or perhaps the camera shows a package or envelope on the desk or on a table behind the employee. Attackers who sneak into the meeting can use the personal details shown in a Zoom background to attempt to gain access to your organization’s network. Along with Skype security issues and other common video conferencing problems, the background can provide attackers with information.

What seem like safe meetings online can actually tell a lot about you. For example, an attacker might see the college pendant on the wall behind you declaring you’re a Florida Gators fan. From your photos, they may learn that you have a beloved dog named Charlie and that you were married on June 15, 1998 — thanks to the personalized picture frames. You also have a family portrait on the bookcase, proudly showing off your three school-age children. On one call, you have a piece of mail on your desk that shows both your home address and your birthday.

Password Cracking: Classic but Still Relevant

Another common way attackers can use information they see in your home office is to decode passwords. Many people use passwords based on their family, pets and interests. Other common choices are special dates such as birthdays and anniversaries. By using password cracking tools, they can start the sleuthing with variations of Charlie, your birthday, your anniversary date and the Gators. People often use the same passwords for multiple logins, even though advised not to. Therefore, criminals can crack the code and gain access to many systems and applications, including work apps and email.

Social Engineering Gets Personal

Social engineering schemes can also stem from attackers getting a peek into otherwise safe meetings online. With this type of attack, threat actors design a scenario to get a person to click on a link, download a file or launch a video. From there, malware launches onto their device. Next, the attacker can get into the networks the device is connected to. Because the goal is to create an email that looks like one you may actually receive, it’s helpful to get insight into what you might be fooled into clicking on.

As companies have increased cybersecurity training, threat actors must make their emails or messages seem as real as possible. Because the attacker knows that you have school-age children, they may send a somewhat generic email about signing up for snacks. Or you might get an email claiming to be from a Florida Gators fan club with a link to a video from last week’s game.

Because both of these emails are likely similar to emails that you actually get in your inbox, or at least related to subjects that you care about, you are more likely to click on the email thinking it’s real than a very generic email or one on a subject not of interest to you.

While each of these types of attacks starts with a single employee, the malware can quickly spread throughout the network. Once the malware enters the network, it can damage or steal sensitive data as well as infect other devices. Unfortunately, a single employee who clicks on an unsuspecting email can cause a major incident that can cost a lot of time and damage your reputation.

How Threat Actors Gain Access to Zoom Calls

You may think that this type of attack can’t happen at your company, or there are very low odds of it happening, because it would require an internal leak or be an inside job. That would be incorrect. Attackers can use this technique through public video calls, such as media interviews, webinars and even conference sessions. Any calls with vendors and customers also open up your employees’ home offices to a wider threat pool.

Additionally, an employee could share a screenshot of a Zoom call on their own social media accounts that inadvertently shows personal details in a co-worker’s background. Not to mention, many employees like to show off their home offices on their personal social media accounts, which are typically very similar to their Zoom backgrounds. Even if you’re holding safe meetings online, posting photos from work can give attackers information.

If your company or any employees record Zoom calls and store the videos on the cloud, you are also creating a potential vulnerability. Even more concerning are calls that other parties (such as vendors, media and customers) may record and then store on their own cloud. Also, many companies forget to delete Zoom recordings that are no longer needed. Criminals can break into the video storage through your company network and mine those calls for details in the Zoom background.

Video Conference Security Issues

Like many aspects of cybersecurity, keeping your company safe from the vulnerabilities of Zoom calls starts with employee training. Be sure to include the following in your cybersecurity employee training so you can hold safe meetings online:

  • Have all employees remove personal items from their Zoom backgrounds, such as photos and memorabilia, even for internal calls.
  • Discuss the importance of making sure home addresses or birth dates are not visible in calls.
  • Create a company-approved Zoom background, such as a photo of your conference rooms or office areas, for all employees. You may want to create a couple different ones to give employees some options to choose from.
  • Require employees to use a company-approved Zoom background for calls with people outside the company or in another location.

Remote work has created new cybersecurity issues. Companies must continue to train employees on the ways they could unintentionally help an attacker while trying to hold safe meetings online. By including video conferencing security best practices in new employee orientation, as well as in ongoing awareness training, you can reduce the risk of a threat actor seeing something they shouldn’t — not to mention your coworkers seeing your laundry.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today