As large numbers of people turn to video-teleconferencing
(VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports
of VTC hijacking (also called “Zoom-bombing”) are emerging nationwide. The FBI
has received multiple reports of conferences being disrupted by pornographic
and/or hate images and threatening language.
Within the FBI Boston Division’s area of responsibility
(AOR), which includes Maine, Massachusetts, New Hampshire, and Rhode Island,
two schools in Massachusetts reported the following incidents:
In late March
2020, a Massachusetts-based high school reported that while a teacher was
conducting an online class using the teleconferencing software Zoom, an
unidentified individual(s) dialed into the classroom. This individual yelled a
profanity and then shouted the teacher’s home address in the middle of
instruction.
A second
Massachusetts-based school reported a Zoom meeting being accessed by an
unidentified individual. In this incident, the individual was visible on the video
camera and displayed swastika tattoos.
As individuals continue the transition to online lessons and
meetings, the FBI recommends exercising due diligence and caution in your
cybersecurity efforts. The following steps can be taken to mitigate teleconference
hijacking threats:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
If you were a victim of a teleconference hijacking, or any
cyber-crime for that matter, report it to the FBI’s Internet Crime Complaint
Center at ic3.gov. Additionally, if you receive a specific threat during a
teleconference, please report it to us at tips.fbi.gov or call the FBI Boston
Division at (857) 386-2000.