San Jose City Councilmember Raul Peralez fell victim to hackers twice in one week in a new, online harassment trend.
The trend, known as “Zoombombing” is when videoconferences are interrupted by unwanted visitors, who often display pornography or slurs. It has become so pervasive, the FBI issued a warning about the harassment last month.
While many states across the country have ordered residents to stay at home, several schools and businesses have transitioned meetings to online videoconferences with software from San Jose-based company Zoom Video Communications.
Peralez was in a videoconference with the Roosevelt Neighborhood Association April 1. It only took five to 10 minutes before the meeting went awry.
“All I could hear was, ‘N***er, n***er, n***er,’” said Chris Patterson-Simmons, a local business owner who attended the videoconference.
After screaming the n-word repeatedly, hackers projected an illustration of male genitalia onto the screen and a video of a couple performing oral sex.
Jeff Levine, a neighborhood advocate, hosted the videoconference. He said he has used Zoom for a few years and was able to kick out the first hacker swiftly.
“It started with one account, so I was able to block that one, but then it just exploded,” Levine said.
That was when dozens of accounts logged in and Zoombombed the meeting, Levine said. He couldn’t tell if it was a team of Zoombombers or just one hacker generating several accounts.
After about five minutes of epithets and obscene images, Levine shutoff the videoconference.
“They were also saying, ‘Raul Peralez is a child molestor,’” Patterson-Simmons said.
Levine and Peralez said they did not hear a hacker say that, but they’re not sure if that means Peralez was targeted, or if a hacker simply read his name on the screen.
Peralez said he logged off after two minutes and perhaps that’s why he didn’t hear it.
“It could have been someone 2,000 miles away or it could have been someone local in San Jose,” Levine said.
The following day, Peralez participated in another videoconference — this time with the Valley Transportation Authority. After about 15 minutes, he saw multiple accounts log in as “Lan Diep,” a fellow councilmember who was already on the videoconference.
Similar to the previous online meeting, hackers shouted racial slurs and displayed pornography.
People are drawn to Zoom for its user-friendly and seamless experience, said Ahmed Banafa, a cyber security expert and engineering professor at San Jose State University. But the company can’t have both convenience and safety, he warns.
“There are some people benefiting off the sudden fame of Zoom and Zoom isn’t ready for this,” Banafa said. “They weren’t ready to become No.1 in the world when it comes to video conferencing… [But] they’re trying to catch up with this.”
Zoom CEO Eric Yuan apologized in a blog post this month for the unwanted interruptions and committed to fixing the problem with new security measures as the company’s client base balloons from 10 million users per day to more than 200 million. Last week, the company made it mandatory by default for all videoconferences to require passwords and approval from the host for other accounts to join.
The difference between the two videoconferences where Peralez witnessed his first Zoombombings is one was public and the other required authorization.
Levine takes the blame for the outcome of the neighborhood meeting. He said by making the videoconference public and sharing the link to social media, it was bound to get Zoombombed.
Although the VTA videoconference was viewable to the public, it required account verification for people to access their cameras and microphones to engage in the meeting. Somehow, hackers were able to bypass this step.
“The online disruption during VTA’s Board of Directors virtual meeting is of great concern and we regret that it happened,” said Brandi Childress, media and public affairs manager for VTA. “While VTA is not unique in having to use technology for solutions, which also increases vulnerabilities, we are tightening our procedures to improve security and other general operational protocols going forward to prevent this from happening in the future.”
Meanwhile, New York City schools have banned Zoom. Chancellor Richard Carranza announced on Twitter April 5 that the New York City Department of Education will use Microsoft Teams for online classes instead.
In Michigan, lawmakers turned Zoombombing into a federal offense.
The U.S. Department of Justice this month published a notice with Michigan’s attorney general and the FBI, warning hackers and pranksters of potential legal penalties for Zoombombing, including fines and imprisonment.
Those who are Zoombombed may also be at risk for having important documents or confidential information stolen, the agencies warned.
Contact Luke Johnson at firstname.lastname@example.org and follow @Scoop_Johnson on Twitter.