AA First Look at Zoombombing
Chen Ling , Utkucan Balcı , Jeremy Blackburn , and Gianluca Stringhini Boston University, Binghamton University [email protected], [email protected], [email protected], [email protected]
Abstract —Online meeting tools like Zoom and Google Meethave become central to our professional, educational, and per-sonal lives. This has opened up new opportunities for large scaleharassment. In particular, a phenomenon known as zoombomb-ing has emerged, in which aggressors join online meetings withthe goal of disrupting them and harassing their participants.In this paper, we conduct the first data-driven analysis ofcalls for zoombombing attacks on social media. We identifyten popular online meeting tools and extract posts containingmeeting invitations to these platforms on a mainstream socialnetwork, Twitter, and on a fringe community known for orga-nizing coordinated attacks against online users, 4chan. We thenperform manual annotation to identify posts that are calling forzoombombing attacks, and apply thematic analysis to developa codebook to better characterize the discussion surroundingcalls for zoombombing. During the first seven months of 2020,we identify over 200 calls for zoombombing between Twitterand 4chan, and analyze these calls both quantitatively andqualitatively. Our findings indicate that the vast majority ofcalls for zoombombing are not made by attackers stumblingupon meeting invitations or bruteforcing their meeting ID, butrather by insiders who have legitimate access to these meetings,particularly students in high school and college classes. Thishas important security implications, because it makes commonprotections against zoombombing, such as password protection,ineffective. We also find instances of insiders instructing attackersto adopt the names of legitimate participants in the class toavoid detection, making countermeasures like setting up a waitingroom and vetting participants less effective. Based on theseobservations, we argue that the only effective defense againstzoombombing is creating unique join links for each participant.
I. I
NTRODUCTION
One of the earliest promises of the Internet was to enablequick, easy, and real-time communications, not just via text,but also audio and video. While it took some time, thereare now numerous online meeting tools like Skype, Zoom,and Google Meet that are used in a variety of contexts,both personal and professional. In 2020, society has founditself increasingly reliant on these online meeting tools dueto the COVID-19 pandemic, with many business meetings,online classes, and even social gatherings moving online.Unfortunately, the mass adoption of these services has alsoenabled a new kind of attack where perpetrators join anddeliberately disrupt virtual meetings. This phenomenon hasbeen dubbed zoombombing , after one of the most used onlinemeeting platforms [1, 2].To mitigate the threat of zoombombing, security practition-ers have begun discussing best practices to prevent these attackfrom happening or limit their effects. These include requiringa password to join online meetings, setting up a waiting roomand manually vet participants before letting them in, and not sharing meeting links publicly [3, 4]. While helpful to keep outcasual and unmotivated attackers, there is an inherent tensionbetween tightening the security of online meeting rooms andthe need for them to be easily accessible to a number ofpeople, especially in the case of large public events [1]. Mostimportantly, devising effective security policies requires agood understanding of the capabilities of attackers and of theirmodus operandi. To date, however, the research communitylacks a good understanding of how zoombombing attacksare called for and how they are carried out. For example, itremains unclear how attackers obtain meeting links in the firstplace. This type of knowledge is crucial because, for example,protecting against attackers proactively bruteforcing the IDof meeting rooms is very different (and calls for differentcountermeasures) than mitigating attacks called from insiders.In this paper, we perform the first measurement study ofcalls for zoombombing attacks on social media. We first selectten popular online meeting services, spanning a wide range oftarget users, from businesses to individuals. We then analyzethe security features that these services offer to their users,with a particular focus on the mechanisms that allow themto restrict and control who can join and participate in themeeting. We next identify posts that contain online meetinginformation. We decide to focus on two online services forthis purpose, a mainstream social network like Twitter anda fringe Web community like 4chan, which was shown byprevious work to be often involved in harassment attacksagainst online users [5, 6]. Between January and July 2020, weidentify 12k tweets and 434 4chan threads discussing onlinemeeting rooms. We then apply thematic qualitative analysis [7]to identify posts that are indeed calling for a zoombombingattack, and to further characterize them. We identify 1234chan threads discussing such attacks as well as 95 tweets.We then adopt a mixed methods approach to perform furtheranalysis. We first analyze this dataset quantitatively, lookingat temporal properties of these posts and applying naturallanguage processing techniques to better understand the topicsof discussion. We then dig deeper into our qualitative analysisresults to get a more nuanced view of the characteristics of thezoombombing phenomenon. Finally, we discuss our findingsin view of existing countermeasures, reasoning about theireffectiveness.In summary, we make the following key findings: • The majority of the calls for zoombombing in our datasettarget online lectures (74% on 4chan and 59% on Twit-ter). We find evidence of both universities and highschools being targeted.
Utkucan Balci and Chen Ling contributed equally to this work. a r X i v : . [ c s . C Y ] S e p igure 1: Threat Model for a zoombombing attack. Charlie calls foran attack against a Zoom meeting created by Alice, by creating athread on an online service (e.g., 4chan). Participants then join theZoom meeting, report back on the thread about the status of theattack, and harm the legitimate participants to the meeting. • Most calls for zoombombing come from insiders whohave legitimate access to the meetings (70% on 4chan and82% on Twitter). This has serious security implications,because it makes passwords ineffective to protect themeeting rooms as attackers can share them with whoeverparticipates in the attack. In some cases we find that theinsider shares additional information like names of realstudents in the class, allowing participants to select thosenames and make it difficult for teachers and moderatorsto identify intruders. • Almost all calls for zoombombing target meetings hap-pening in real time (93% on 4chan and 98% on Twitter),suggesting that these attacks happen in an opportunisticfashion and that zoombombing posts cannot be identifiedahead of time, allowing defenders to prepare.
Disclaimer.
Due to their nature, zoombombing messages onsocial media are likely highly offensive. In this paper we donot censor any content, therefore we warn the reader that someof the quotes included in the following sections are likely tobe upsetting and offensive.II. B
ACKGROUND
In this section, we first describe the threat model that weassume for this study. We then describe how we chose the tenmeeting services that we study, and describe their features.
A. Threat Model
We consider a zoombombing attack as being composed offour phases (see Figure 1), based on anecdotal evidence of howzoombombing accounts unfold, as well as following empiricalevidence reported by previous research that studied coordi-nated online aggression, trolling, and harassment on othersocial media platforms (e.g., Reddit, YouTube) [5, 8, 9, 10].Note that in this paper we focus on calls for attacks that aim atattracting multiple participants; single attacks stumbling uponmeeting rooms and disrupting them are out of scope. In thefollowing, we describe the four phases in detail through an example in which Charlie is orchestrating a coordinated attackagainst a Zoom meeting created by Alice. i) Call for attack.
Charlie obtains information about Alice’sZoom meeting. As we will show later, this is often becauseCharlie is a legitimate participant of the meeting (e.g., astudent in an online lecture). Charlie then posts informationabout the Zoom meeting on an online service of his choice(starting an organization thread ), asking other members ofthe community to participate in a coordinate attack. Previousresearch showed that attacks like this are often organized onpolarized Web communities (e.g., /pol/, 4chan’s PoliticallyIncorrect Board), where the person calling for an attack postsa link to content on another service that was created by thevictim (e.g., a zoom meeting), followed by an invite to theperson (e.g., through the phrase “you know what to do”) [5, 6]. ii) Coordination.
The organization thread created by Charlienow becomes an aggregation point for attackers, who willreport additional information and coordinate the attack byreplying to the thread. For example, attackers will post detailslike a password to access the meeting or personal informationabout the host. iii) Delivery.
The attackers will then join the online meetingand harass the participants, for example sending them hatefulmessages, shouting profanities, or displaying offensive orindecent images through their webcams [1]. iv) Harm.
The goal of the attack is to cause harm to the groupof people. Depending on its success and intensity, victimscould suffer serious psychological [11, 12] or even physicalharm [13].
B. Online Meeting Services
To select a representative set of online meeting tools tostudy in this paper, we ran Google queries for “online meetingservices” and manually vetted the results for Web pages thatactually advertised a service (excluding, for example, newsarticles talking about a certain meeting platform). After thisprocess, we obtained the list of the ten highest ranked meetingtools. These services are Zoom, Hangouts, Google Meet,Skype, Jitsi, GotoMeeting, Microsoft Teams, Cisco Webex,Bluejeans, and Starleaf.In the following, we describe the general characteristics ofeach of these services (see Table I). We then analyze thesecurity relevant features offered by the various platforms(e.g., whether they allow hosts to set a password for meetings).We are particularly interested in understanding what charac-teristics of a service might make it a popular target platformfor attackers, or might reduce the risk for a successful attack.
Length of operation.
Half of our ten services were establishedafter 2010, with the notable exception of Webex which startedin the 90s. Major tech companies like Microsoft, Google, andCisco have their own solution, with Microsoft and Google hav-ing two of them (Skype and Teams for Microsoft and Hangoutsand Meet for Google). While Google started retiring Hangoutsin October 2019, we will later show that this platform is stillvery much used and many meeting links to it are posted onsocial media. There are also companies that focus on online latform Est. Headquarters Parent Company Target Users User base PlanZoom 2011 US - Both individual and business 300M Free, upgrade available starts from $15/monthMeet 2017 US Google Both individual and business 100M Free, upgrade available starts from $12/monthWebex 1993 US Cisco Business 324M Free, upgrade available starts from $13.5 /monthJitsi 2017 AU Atlassian Both individual and business - FreeSkype 2003 US Microsoft Both individual and business 100M Free, charge for phone callsGotoMeeting 2004 US LogMeIn Business - Starts from $12/MonthTeams 2017 US Microsoft Business 75M Free, upgrade available starts from $5 per user/monthHangouts 2013 US Google Individual 14M Free, charge for phone callsBluejeans 2009 US Verizon Business - Starts from $12/MonthStarleaf 2008 UK - Business 3,000 Free, upgrade available starts from $14.99 /month
Table I:
Overview of the ten online meeting services studied in this paper. communication services, like Zoom and Starleaf. During thecoronavirus pandemic, when millions of people have beenforced to work, learn, and socialize remotely, Zoom has risento the top, with over 300 million daily participants in virtualmeetings, and also becoming the top target of attack; hencethe phrase “zoombombing.”
User base.
Most of the online meeting services are aimed atbusiness users. While Hangouts is the only service specificallydevoted to individuals, five of them are geared towards bothbusiness and individual users. Based on the most currentdata [14, 15, 16, 17] (July 2020), four of our selected onlinemeeting services have a user base of over 100M (Zoom, Meet,Skype, and Webex). We hypothesize that the user base of aservice plays a role in which services get attacked the most.
User plan.
Most online meeting services provide free ac-counts for individuals and small companies. GotoMeetingand Bluejeans, however, exclusively target business consumers(charging hosts $12/month) and do not provide free accounts.Teams paid plans are somewhat different, as they are basednot on a per-host basis, but on a per-user basis. GoogleHangouts and Skype are free, but charge for phone calls tolocal numbers.
Features.
We next analyze the features that are specific toeach online meeting platform, with a particular focus on thesecurity measures that they put in place to prevent zoom-bombing. To this end, we compare the features offered to freeaccounts. Since GotoMeeting and Bluejeans do not providefree accounts, they are excluded from this comparison, sincewe could not create meetings to check their capabilities. Anoverview of the features offered by each platform is reportedin Table II.First, we look at the security features offered by the meetingplatforms. Nine of the ten services require an account to joina meeting. This is done to prevent attackers from floodingmeeting rooms and provide some accountability, e.g., sus-pending misbehaving accounts. Only Jitsi does not require aregistration to join meetings. Authentication-wise, the securitymodel of online meeting services is the following: anyone withan account on the platform and who knows the meeting IDcan join the meeting. This is not dissimilar to other securitysensitive services that have been studied by the community inthe past, from online document editing [18] to file downloadplatforms [19]. To prevent anyone knowing the meeting IDfrom joining a room, Zoom, Webex, GotoMeeting, and Blue- jeans allow hosts to specify a password participants need toprovide upon joining. Only Zoom and Google Meet allow awaiting room for hostswhi to check identity of participants.Google Meet automatically admit participants whose accountswere included in the invitation list into the meeting room andputs others in a waiting room, allowing the host to let themin manually. Only Zoom and Webex provide a registrationsystem with one-time unique links per registrant, which canhelp restrict and trace participants. Generally, other meetingservices use unique links for each meeting, with GoogleHangouts and Google Meet allowing a link to be reusedwithin a 90 day period. Skype does not have a one timeunique link function. Due to privacy concerns, Google Meet,Google Hangouts, and Jitsi do not allow host to mute allparticipates [20, 21]. Google Meet only allows educationalaccounts to mute participants [22].Second, we look at whether services limit the number ofusers that can join a meeting, as well as the maximum durationof a meeting for free users. All the services under study havea participant limit in their free version. Zoom, Google Meet,and Webex limit meetings to 100 participants, and Teams onlysupports four attendees in its free version. When looking at themaximum duration of a meeting, we find that three services(Zoom, Webex, and Starleaf) limit meetings to between 40 and50 minutes for free users.III. D
ATASETS
In this section, we describe the datasets that we used in thispaper as well as our data collection process. We first discusshow we identify social media posts containing links to meetingrooms. We then discuss the online services that we collect datafrom.
Identifying posts containing meeting URLs.
To identifyposts that contain meeting URLs on the online services thatwe monitor, we first identify the DNS domains that areused by the platforms that we are studying. To avoid simpleattempts to evasion, we used regular expressions that onlyconsidered alphanumeric characters and dots. In the case ofZoom meetings not shared by URL but instead via meeting ID,after lowercasing and removing non-alphanumeric charactersin the posts, we searched for a pattern with ‘id’ followed byat least nine consecutive digits by using regular expressions.We then further filter these by only including posts with thekeyword ‘zoom’ in them. latform Requires account to join in Max particp. Max time Allows password Allows waiting room one-time unique link Mute upon entryZoom Yes 100 40min Yes Yes for each particp. YesGoogle Meet Yes 100 Unlimited No Yes No NoWebex Yes 100 50min Yes No for each particp. YesJitsi No 75 Unlimited No No Yes NoSkype Yes 50 Unlimited No No No NoGotoMeeting* No 26 Unlimited Yes Yes Yes YesTeams Yes 4 Unlimited No No Yes NoHangouts Yes 25 Unlimited No No No NoBluejeans* Yes 50 Unlimited Yes Yes Yes YesStarleaf Yes 20 45min No No Yes Yes
Table II:
Comparison of the features offered by the online meeting services studied in this paper to free accounts. Services marked with *do not provide a free version and are only available to hosts who pay a subscription. commenting on it. 4chan is organized in boards that eithercover different topics of discussion (e.g., Anime & Manga,Sports) or are created to host more generic discussion (e.g.,Politically Incorrect, Random). Unlike traditional online ser-vices, threads on some of the 4chan boards are ephemeral , andonly a fixed number of threads is alive at a time. Once a newthread i created, the active thread that has least recently beenused is removed from the catalog of live threads. Previousresearch showed that 4chan is a popular platform used bymiscreants to carry out abuse, such as organizing coordinatedharassed campaigns [5, 6, 23]. We therefore hypothesize thatzoombombing is widespread on the platform.We developed a custom crawler following the same method-ology of previous research on 4chan [5, 24], and collected allposts between January 1st, 2020, and July 24th, 2020. We thenidentify posts containing online meeting links and invitationsfollowing the methodology discussed in the previous section.Every time we identify a post containing information about ameeting, we pull the entire thread. In total, we identify 47,221posts from 434 threads with a URL or an ID for at least onemeeting platform room.
Twitter.
Twitter [25] is a microblogging social media platformon which registered users can share posts publicly or privately.While private accounts can only reach their followers, publicaccounts can reach any user on Twitter. The posts are called“tweets” and can be re-shared (retweeted) by other users toshare with their followers. Tweets can contain “hashtags”where users can put the “
Ethics.
We acknowledge that data from social media can con-tain personal information. We adopted standard best practicesto ensure that our study followed ethical principles [26, 27]In particular, we did not try to further de-anonymize any user.Since this work only involved publicly available data and didnot require interactions with participants, it is not consideredhuman subjects research by our institution. IV. I
DENTIFYING Z OOMBOMBING T HREADS
While it is relatively straight forward to automatically findposts that include links to meetings, the challenge is indetermining the intent behind the link being posted, and inparticular whether the post is calling for a zoombombingattack. We expect that most meeting links on social mediaare posted with benign reasons; therefore, to carry out thisstudy we need a way to separate harmless posts from thosethat are calls for zoombombing. Since zoombombing is ahuman driven phenomenon, developing automated techniquesto identify posts calling for attacks is challenging and prone tofalse positives and false negatives. To avoid these issues, weperform manual annotation of all posts in our dataset, with thegoal of identifying a reliable ground truth dataset.In this section, we develop a codebook to guide the thematicannotation process for our 4chan and Twitter datasets. Webreak the development of this codebook in two phases. First,we perform a binary labeling to determine if posts are indeedcalls for zoombombing or not. As a second step, we furthercharacterize the posts and threads that contain zoombombinginvitations, with the goal of understanding the behavior ofattackers and the targets that they choose.To build our codebook and perform annotation we fol-low the same methodology described in recent security re-search [7], in which the authors studied posts from onlineinfidelity forums and their relation with intimate partnersurveillance tools and tactics. More precisely, we follow thesefour steps:1) Four researchers independently screened our dataset andproduced initial codes using thematic coding [28].2) We then discussed these initial codes and went throughmultiple iterations, using a portion of the data to build afinal codebook. The process continued until the codebookreached stability and additional iterations would not refineit further.3) To investigate the common agreement on the codebookby multiple annotators, we have them rate a portion of ourdataset and discuss disagreements until a good agreementis reached.4) We split the rest of our dataset and each annotator labelsone portion of it.We next describe our process and our codebook in more detail. hase I: labeling zoombombing content
As we mentioned, the first phase of our annotation processdeals with identifying social media posts and threads thatcontain an invitation to zoombombing. We start by labeling4chan threads. Following the methodology from [7], we firstrandomly choose 10 threads from the 470 threads that containa link to a meeting room, and have each author of the paperreview them and discuss them together to build a sharedunderstanding of what a zoombombing invitation looks like.From this initial dataset, the authors agreed that two threadswere “bombing” threads (i.e., they were encouraging/callingfor a zoombombing) while the remaining eight were not (i.e.,“non-bombing”).We then aim to test each author’s ability to independentlyidentify bombing threads. To this end, we chose 20 additionalthreads (balanced as per the overall distribution of meetingplatform links on 4chan), and had each author label themas either bombing or non-bombing. We used the followingdefinition to make a decision: a zoombombing thread shouldinclude an invitation to bomb along with a URL to a meetingroom or a meeting ID . One interesting caveat here is thatwhile discussing the initial set of threads we noticed that theinvitation to bomb did not necessarily appear in the same postas the meeting link itself, and thus we added the followingadditional condition where applicable: the same user postedthe link or meeting ID and the textual invitation to bomb,even if they were not in the same post . Note that althoughusers on 4chan are anonymous, users are giving a unique IDthat identifies them within the same thread [5]. It is importantto note that invitations to bomb are not necessarily made inan overt fashion. 4chan’s users are well known to use codedlanguage and slang [6], and thus we relied on our domainexpertise when coding posts that include phrases like “youknow what to do” and “do ya thing.” Finally, because of theoverall uncertainty of things, we decide to be conservativeand label any threads we are unsure about as non-bombing. Atypical bombing invitation looks as follows:“[ZOOMURL] My English class, come in andtrolley for a while.”Four authors of this paper independently coded each threadto determine whether it is bombing related or not. Fromthis testing phase of 20 threads, we calculated the Fleiss’agreement score between the annotators and found perfectagreement ( κ = 1 . ) [29, 30]. This indicates that all authorswere able to reliably identify zoombombing threads. Fromhere, we expand our annotation to the full dataset of 434threads, split evenly between the four annotators.In the end, we find that 123 of the 434 threads in our4chan dataset are bombing threads. As seen in Figure 2, nearlyhalf (43.96%) of the Zoom meeting links in our dataset weredetermined to belong to a bombing thread, and a majority(59.72%) of Google Meet links appeared in bombing threads.On the other hand, Google Hangouts and Skype links aremostly posted with benign intentions. Figure 2:
Ratio of bombing and non-bombing posts on 4chan.
Figure 3:
Ratio of bombing and non-bombing tweets on Twitter.
We follow the same labeling procedure for Twitter. From ourpreliminary screening of the tweets, we find that a large portionare non-English. Thus, we restrict our analysis to Englishtweets only from our total 12,077 tweets, which leaves uswith 3,510 candidate tweets.A challenge that we face when labeling tweets is that Twitteris a much different platform than 4chan in its user baseand general tone. 4chan is dominated by trolling and irony,and veiled calls to join meetings can often be interpretedas bombing invitations. Here is an example of a bombinginvitation from 4chan:“Ok retards, this is an id of a zoom web lessons.Do your worst [ZOOM ID] [ZOOM PASS-WORD].”On the other hand, Twitter is a general audience socialnetwork, therefore we expect most meeting invitations to bebenign. For example, this is a bombing invitation from Twitter:“Raid this class as fast as u can....
An invitation to bombing with a link (invitation textusually comes with a link) • A clear indication of bombing, such as “raid,” “bomb,”“troll,” “discord,” “disruptive,” and “make fun of it.”As with 4chan, we are generally conservative in our labelingand default to non-bombing in uncertain cases.From the 3.5K English tweets, we randomly sample 500so all services were equally represented (i.e., balanced withrespect to services). From this 500, we manually select 20tweets, which four coders independently determined whetherthey were a bombing tweet or not. The inter-rater reliabilityagain shows perfect agreement (Fleiss’ κ = 1 . ). Because ofthe high agreement scores on the initial testing set, as well asthe agreement on the 4chan ratings, we had a single annotatorlabel the remaining 3,490 tweets in this dataset. Note that thisis a much quicker process than on 4chan, since the coder had tolook at single tweets instead of entire, and often long, threads.In the end, we find that 95 out of the 3,510 candidateEnglish tweets are bombing tweets. From Figure 3 we can seethat zoombombing on Twitter is less pervasive than on 4chan.In particular, of the 3,039 Zoom related candidate tweets, 75are labeled as bombing, and 20 of the 157 Google Meet tweetsare bombing. We found no bombing tweets for the other eightmeeting tools. Phase II: Characterizing zoombombing
While labeling threads and tweets as bombing or not isvital to understanding the problem, it does little to characterizethe actual bombing activity itself. In this phase we aim tounderstand the process of a bombing event by analyzing thebehavior that goes on in bombing threads.We began by having four annotators go through the labeledbombing threads/tweets as determined by the Phase I labeling.This was a relatively loose process where the goal was to get ageneral sense of what is going on. Next, the annotators met anddiscussed their observations. In general there was agreementbetween the annotators of a clear trend of insider complicity inbombing of online classes in particular. After several roundsof discussion, we derived four, high level properties relevantto zoom bombing threads and tweets: 1) thread structure (onlyapplicable to 4chan threads), 2) link information, 3) invitationinformation, and 4) interaction (only applicable to 4chanthreads).
Thread structure:
New threads on 4chan are created when aso called “Original Poster” creates an “Original Post” and thethread constitutes replies to this post (
NB: flat ) [5]. Thus, the first post in a thread usually represents thetopic of the thread.We code the following characteristics of a thread:1) Whether the content of the first post is a zoombombinginvitation. This indicates whether or not the thread wascreated primarily to act as a bombing thread as opposedto organically evolving into one.2) The length of the thread (i.e., the number of posts), whichindicates the thread’s popularity. 3) The number of bombing invitation links, which is indica-tive of how the thread evolved with respect to bombing.
Link information:
According to our definition of a bombingthread/tweet, both 4chan and Twitter posts need to include avideo conference invitation link or meeting ID to be considereda bombing thread. For certain meeting platforms (e.g., Zoom)we can derive two additional pieces of information frommeeting links directly: 1) institutional information (i.e., whois hosting the meeting) and 2) password protection .For some platforms, we can automatically identifypassword-protected links by looking at a password parameterin the URL (e.g., https://zoom.us/j/123456789?pwd=12345aAbBcC678). When coding messages manually, we also look atthe presence of passwords in the text of posts. Institutional in-formation provides us additional information on the victims ofattacks. To gather this information, we need to manually lookat the URL (e.g., http://UNIVERSITY.zoom.us/j/XXXXXX,and search for its associated institution. We record eachinstitution, its type (e.g., University), and country.
Invitation information:
As noted previously, there are plentyof legitimate reasons to post a link to a video conference, andthus a posted link itself is not sufficient to say that an attackhas occurred; this is why we require additional text calling foran attack. During our initial examining, we noticed that therewas often additional information embedded in the bombinginvitation itself, e.g., temporal details as well as hints at theexistence of insiders.“[ZOOMURL] this class is up the tuesdays at11:00 am UTC-5 crash this class plz.”For temporal information, we manually read the bombinginvitation and label the meeting time according to three codes1) future event , where the poster indicates the attached linkwill be active at some point in the future, 2) live event , wherethe poster indicates the meeting link is active and that bombersshould join “now,” and 3) not sure , where there was no clearindication of when the link would be active. This temporalinformation is an indicator as to whether or not a bombingattack has been planned, or if it is an opportunistic attack.Our preliminary analysis indicated that many zoombombinginvitations are created by insiders, for example students in thecase of college classes. To better understand insider complicity,we label each bombing post or thread as either 1) insider or 2) non-insider . To be labeled as insider , the bombinginvitation should include text like “my teacher” or “our class,”provide a password for the video conference (either explicitlyin post text or implicitly in the link to the meeting), orgive suggestions on what names bombers should select whenjoining the call (a tactic used to make it harder for legitimatemeeting attendees/hosts to determine that joining bombers arenot supposed to be there). Annotators recorded the details ofwhat led to any insider label applied. Again, we conservativelylabel threads as non-insider if there is any doubt.
Interaction:
For 4chan, we are able to collect entire threadsdiscussing zoombombing. For these threads, we read the wholehread and record the following characteristics of the threaddiscussion: • Time interval: the interval between the bombing invitationpost and the first interaction post by other users (thischaracteristic is automatically calculated); • Problem feedback: participants reporting problems abouttheir zoombombing attempts, for example being unableto join the meeting room, or being kicked out by the host; • Toxic speech: participants insulting the host of the meet-ing with profanities or hate speech; • Crime scene feedback: reports on successful attacks withdetails on what happens;For phase II, four raters independently rated 20 randomlychosen threads from 123 bombing 4chan threads and 20random tweets from 95 bombing tweets from Twitter. Inter-rater reliability showed a perfect agreement in both sets ofthreads (Fleiss’ Kappa 1.0). We then split the rest of the datasetinto 4 groups, with each rater separately coding one group.V. Q
UANTITATIVE A NALYSIS
To better understand the zoombombing phenomenon, wefirst start by quantitatively analyzing the 123 4chan threadsand 95 tweets that we identified as part of the codingprocess, comparing them with posts and threads containingnon-bombing meeting links. We focus our analysis on threeaspects: 1) understanding which services are targeted the mostby zoombombing 2) examining how zoombombing unfoldstemporally and 3) using natural language processing tech-niques to quantify the content of zoombombing threads.
A. Targeted services
We observe that the platforms with a larger user base (seeTable I) seem to be attracting more zoombombing attacks. Inparticular, we find 129 bombing links on Zoom, 66 on GoogleMeet, 10 on Webex, 7 on Jitsi, 3 on Skype, 2 on GoToMeeting,and 1 on Teams, while there are none for Hangouts, Bluejeans,and Starleaf.
B. Temporal Analysis
Figure 4 plots the weekly occurrences of bombing andnon-bombing posts on Twitter and 4chan. From the figure,we see that posts with meeting links became more prevalent(especially on Twitter) as the COVID-19 shutdown began inMarch 2020 (shown in the figure with blue line ). On 4chan,we observe a spike in benign posts containing meeting linksaround New Years Eve 2020, attributable to users organizingsocial gatherings as well as increased activity of a far-rightgroup on the following week. Generally speaking, zoombomb-ing as a phenomenon barely existed before the quarantine. Weobserve a decline of the phenomenon in June 2020, potentiallylinked to school holidays; this is in line with the fact that weobserve that most calls for zoombombing target school lecturesand college classes, as discussed later in Section VI-A. / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / First Day Of The Week050100150200250300 N u m b e r O f P o s t s non bombing(4chan)bombing(4chan)bombing(Twitter)non bombing(Twitter) Figure 4:
Number of posts per week for bombing & non-bombingthreads and tweets. The vertical line indicates the beginning of theCOVID-19 lockdown in the United States (on the week of 3/2/2020,when several West Coast US universities started going online.)
Hours(UTC)02468101214 P o s t s Figure 5:
Hour Distribution of zoombombing posts. Note that wedid not discard multiple posts that contain the same zoombombinglink.
Next, we plot the number of posts per hour of the day for4chan posts and tweets with bombing links in Figure 5. OnTwitter, we find that zoombombing activity does not exhibitclear diurnal patterns. On 4chan, bombing posts are mostlyshared from 08:00 to 23:00 UTC. We did not encounter anyzoombombing tweet that specified a location and only 13zoombombing posts had country information on 4chan (8USA, 1 Indonesia, 1 Bulgaria, 1 Turkey, 1 Chile and 1 Italy).Considering the lack of diurnal patterns in Figure 5, we canderive that zoombombing calls are not a localized problem.
Temporal analysis of 4chan threads.
To better understandzoombombing behavior, we analyze the threads on 4chanwhere zoombombing links were posted. This allows us to get aquantitative understanding of how discussion of zoombombingactivity unfolds on the platform. Based on our manuallylabeled dataset, we extract 123 threads, which contain 2,693total posts. We compare these 123 threads to the 311 threads(44,528 posts) that included a meeting link but were not bombing threads. Finally, we also compare to a baseline of4chan posts chosen by sampling threads at random (without Duration of Threads(Minutes)0.20.40.60.81.0 C D F bombingnot bombingsampled Figure 6:
Duration of threads on 4chan. F ee db a c k T i m e ( M i nu t e s ) Figure 7:
Feedback time between the posting of a zoombombinginvitation on 4chan and the first reply to the thread. replacement) on a per-day basis such that we have the samenumber of baseline threads per day as we have threads wherea meeting link was posted.Figure 6 plots the cumulative distribution function (CDF) ofthe duration of threads in our dataset (defined as the differencein the timestamp of the last post and the timestamp of theoriginal post). Recall that threads on 4chan are ephemeral,and once a thread is not active for a while it gets pruned andno further posts can be made [5]. From the figure, we observethat bombing threads have a shorter lifetime than other threads:50% of bombing threads are active for less than 5 minutes,compared to 30 minutes for randomly sampled threads, andtwo hours for non-bombing threads. That said, we do have along tail with about 10% of bombing threads lasting over 2hours, compared to 7 hours for sampled threads and 12 hoursfor non-bombing threads.In our threat model, threads become an aggregation point forattackers, and so understanding the feedback Charlie receivesfrom the bombers he is trying to recruit is important. Thus,Figure 7 plots the delay between the bombing link beingposted on 4chan and the first reply. From the figure, we seethat 79% of zoombombing threads receive their first replywithin 10 minutes. One explanation for this is that calls forzoombombings might be time sensitive; indeed in SectionVI-Bwe show that many of our attackers are inviting bombers to Intrapost Arrival Time(Minutes)0.20.40.60.81.0 C D F bombingnot bombingsampled Figure 8:
CDF of Interpost Arrival Times for bombing & non-bombing threads join live meetings/classes. We then look at the interpost arrivaltime between each post in a thread. Similarly, Figure 8 plotsthe CDF of interpost arrival times, which is the time betweenconsecutive posts in threads, for bombing and non-bombingthreads. For most threads the elapsed time between consecutiveposts in bombing threads is similar to sampled threads whilebeing higher compared non-bombing threads. One explanationfor this is that non-bombing meeting links tend to be posted toorganize social gatherings, and thus tend to show up in morepopular, faster moving threads. An alternative explanation isthat while the zoombombing attack is happening 4chan usersare slower in replying in the thread because they are busyperforming malicious activities in the meeting room.
C. Characteristics of zoombombing links
In this section we focus on what we can learn by analyzingthe zoombombing links, in particular whether they containinformation about the victim organizations and if they includea password as a URL parameter.
Targeted organizations.
We want to understand what orga-nizations are victims of zoombombing. Two of the services(Zoom and Webex) that we study allow organizations to set upa subdomain that identifies them (for example https://virginia.zoom.us/j/123456789 to identify the University of Virginia onZoom and https://pacificbuddhistacademy.my.webex.com forthe Pacific Buddhist Academy). We find that most of the zoom-bombing links posted on 4chan and Twitter are generic and donot contain subdomains that are specific to any organization:only 12 links contain specific subdomains to 10 institutions,and 2 links contain specific subdomains to 1 institution onTwitter. In particular, we find that 8 zoombombing links on4chan belong to education institutions while there are noneon Twitter. One of these is a high school located in the US(Evergreen PS in Washington), four are universities in theUS (e.g., Arizona State University), and three are universitiesoutside the US (e.g., Concordia in Canada). In Section VI-Awe will show that the text of zoombombing posts often furtheridentifies the institution or organization that the zoombombinglink belongs to. / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / First Day Of The Week0510152025 N u m b e r O f P o s t s with passwordwithout password Figure 9:
Occurrences of zoombombing links with and withoutpasswords.
Bombing Non Bombing4chan Twitter 4chan TwitterWord Sim. Word Sim. Word Sim. Word Sim. virtual 0.834 zoomcodes 0.860 nihilist 0.628 live 0.264lecture 0.820 boys 0.819 cia 0.561 virtual 0.249lesson 0.777 zoin 0.814 join 0.552 pm 0.247class 0.774 zoomclasse 0.812 neo 0.549 zoom 0.239crash 0.755 girls 0.802 program 0.505 link 0.239join 0.697 pm 0.792 nazi 0.502 join 0.229webex 0.685 raiding 0.785 goat 0.482 please 0.208meeting 0.682 random 0.771 glownigger 0.478 detail 0.195conference 0.681 shit 0.771 fbi 0.455 march 0.192password 0.675 join 0.769 autistic 0.374 reminder 0.178
Table III:
Top 10 most similar words (by cosine similarity) relatedto online meeting links in Bombing & Non Bombing Threads andTweets.
Password protection.
As we discussed in Section II-B, twoof the ten online meeting services (Zoom and Webex) allowhosts to protect their meetings using passwords. In the caseof Zoom, the password can be embedded in links as a URLparameter (for example https://zoom.us/j/123456789?pwd=12345aAbBcC678). We find that 20 out of the 123 bombinginvitations on 4chan, and 64 out of the 95 ones on Twitterinclude a password. This is interesting, because the passwordoption was added by Zoom after the quarantine started tocurb zoombombing. In fact, we find that zoombombing postscontaining passwords are concentrated toward the latter partof our timeline (see Figure 9). This is a worrying trend, sinceas we will confirm in Section VI-A it is an indication thatmany attacks are called for by insiders who have legitimateaccess to the meetings, questioning existing security measuresand calling for rethinking them.
D. Content Analysis
After looking at timing information and at the characteristicsof URLs, we focus on analyzing the language of socialmedia posts containing zoombombing invitations on Twitterand 4chan, together with their threads on 4chan. To this end,we leverage word embedding models (i.e., word2vec [31]) toquantitatively learn about the context in which zoombombinglinks are discussed. Intuitively, this allows us to identifycommon themes used in discussions where the links appear.To build our models, we first replace any meeting link with akeyword “meetinglink.” For both 4chan and Twitter, we trained two word2vec mod-els, one for posts (and threads in the case of 4chan) containingzoombombing links, and one for posts and threads containingbenign meeting links. On 4chan, we used a window size of 7by taking into consideration words that appear at least 5 and84 times, respectively, for bombing and non-bombing threads,maintaining the ratio of the total amount of posts left afterpreprocessing. To avoid the effect of common/unnecessarywords in our model, we removed stop words, punctuation,other URLs, mentions, posts with only one word, and exactquotes of previous posts in the case of threads. We alsolemmatized the posts and converted all text to lowercase, toavoid weakening the influence of words that are actually thesame words or inflected form of the same word. On Twitterwe applied the same pre-processing techniques as 4chan, andin addition we removed emojis, numbers, and some Twitter-related keywords like RT and FAV while also removing non-alphanumeric characters from words. Since tweets are usuallyshorter than 4chan posts, to build our word2vec models weused a window size of 5. We keep words that appear at least7 times for non-bombing tweets and words that appear at leastonce for bombing tweets considering the same ratio we appliedfor 4chan.Since online meeting links do not have a fixed position inposts, but attackers place them arbitrarily as a word inside ofa sentence, we decided to use the Continuous Bag-Of-WordsModel (CBOW)[31] for training our word2vec models.
Most representative words.
After building our models, wewant to identify the words that are closer to zoombombingand non-bombing links on both Twitter and 4chan. To do this,we looked for the most similar words to ’meetinglink’ withrespect to the cosine similarities of the vector embeddings ofwords in our trained models.As seen in Table III, the most representative words forzoombombing and non-bombing content are very different. On4chan, we notice that most zoombombing words are related toeducation (e.g., “lecture,” “class”) or business meetings (e.g.,“meeting,” “conference”). On Twitter, we observe references toeducation as well (“zoomclass”) as well as keywords related toattacks (e.g., “raiding”). For non-bombing content, on Twitterwe can observe that most keywords are related to conferencemeetings, and reflect the fact that public meeting URLs areoften posted on the platform. On 4chan, we observe thatnon-bombing meeting URLs are often related to trolling andpolitical discussion.
Visualizing discussion themes.
We next aim to identifyrecurring “themes” in zoombombing content. To this end,we visualize the relationship between the words related toonline meeting links following the methodology of Zannettouet al. [32]. From the word2vec models we trained, we create atwo-hop ego network around “meetinglink” where words arenodes, and the edges are weighted with the cosine similaritybetween the word embedding vectors of those words; we keepany edge whose weight is greater than or equal to a pre-defined threshold, and visualize this as a graph. For each graph,we elect the threshold as the value that results in a graphith 100 nodes (for ease of representation). We then detect“communities” of words using the Louvain algorithm [33],and display them using Gephi’s ForceAtlas2 algorithm [34].Figures 10 and 11 show the results of this analysis forzoombombing invitations in 4chan threads and Twitter posts,respectively. Intuitively, each colored community can be in-terpreted as a “theme” that is featured prominently in theseposts. Looking at the 4chan graph (Figure 10) we can seethat many of the themes feature educational topics (e.g., thered community with “spanish,” “course,” and “skype” and thepurple community with “university,” “college,” and “class”).We can also see a community (orange) where users talkabout security issues/conspiracies as we can derive from wordslike “ccp,” “tiktok,” “spyware,” and “ban.” This indicates thatconspiratorial content is not only commonplace in regulardiscussion on 4chan, but is also featured in zoombombingcontent. See the following post for example:“If you do the research you’ll see our MSM isin bed with the CCP. This is being utilized forpropaganda purposes just like tiktok. I work witha bunch of regressed and they all love postingon tiktok. The users of these applications haveclose to zero foresight when it comes to Intelcollection in any fashion from any party. Kind ofwe are fucked because Jews take chinese moneyas investments in their companies.”On Twitter (Figure 11) we can again see themes thatcover online classes (e.g., the green community with “class,”“history,” “math”). We also see a number of keywords that areused as hashtags on the platform to ensure that the calls forzoombombing obtain more visibility (e.g., “zoomcodeclass,”“zoombomb,” “zoomraids”).For completeness, Figures 12 and 13) show the graphs fornon-bombing threads on 4chan and non-bombing tweets onTwitter. As it can be seen, the themes in these cases are morevaried.VI. Q
UALITATIVE A NALYSIS : U
NDERSTANDING F ORUM C ONTENT
Our quantitative analysis highlighted several interestingaspects of zoombombing invitations and their discussion. Inparticular, we found evidence that online classes in particularare targeted by attacks, and we found several meeting pass-words included in invitations, which could be an indicatorthat attacks are called for by insiders who have legitimateaccess to the meeting rooms. When dealing with online activitycarried out by humans, however, quantitative analysis canonly identify general trends, and lacks the nuance requiredto provide a better understanding of the problem. In thissection, we answer deeper questions via a more thoroughqualitative analysis informed by our quantitative results. Asexplained in Section IV this analysis was conducted by havingfour authors of the paper manually annotate the dataset.Where appropriate, our analysis covers zoombombing postson Twitter and 4chan, while for some of the analysis (for example the one analyzing back and forth communicationbetween attackers) we only rely on 4chan threads. Based onour threat model (see Section II-A), we analyze attacks acrossfour phases: i)
Call for attack , ii)
Coordination , iii)
Delivery ,and iv)
Harm . A. Phase I: Call for attack
In this phase, an attacker posts a call for an attack on anonline platform.
Targeting the class room.
In Section V-C we showed that wecould quantitatively identify 8 academic institutions targetedby zoombombing attacks on 4chan. In addition to informationthat can be directly extracted from the URL of the bombinglink, many bombing posts include additional text indicatingthat online classes are the target. For example, “lecture,”“teacher,” “class,” etc. show up regularly in these threads.We find that 91 of our 123 zoombombing threads on 4chantarget online classes. Of the 32 remaining threads, three targetbusiness meetings, and the target of the remainder could notbe conclusively determined. On Twitter, we find that 56 of our95 bombing calls target schools.
Evidence of insiders’ complicity.
In Section V-C we showedthat 11 zoombombing links on 4chan included passwords,indicating that who called for the attack was a legitimateparticipant in the meeting (e.g., a student in the class). Whenannotating the threads, we find 9 additional zoombombingthreads including a password in the body of messages. In total,this accounts for 20 of our 123 threads on 4chan. For Twitter,we showed that 64 out of the 95 tweets included a passwordin the zoombombing link.There are additional indicators that can be used to quali-tatively determine if an attack is called by an insider. In thissection, we look for two indicators: 1) whether the languageof the call of the attack suggests that the attack is called byan insider and 2) whether whoever calls for an attack sharesknowledge about the meeting that only an insider would have.For the first aspect, we look for language like “my lecture,”“my colleague’s presentation,” “my company’s meeting,” etc.58 zoombombing threads on 4chan and 19 zoombombingtweets on Twitter include such language indicating that theattack is called by an insider. In many cases, the userscalling for the attack provide additional information that onlyan insider would know. In 8 zoombombing threads and 8zoombombing tweets, the attacker asks others to use a certainname when joining the meeting to avoid being identified asan intruder and removed.“[GOOGLEMEETURL] name yourself “WONGSHIU PING TONY” all caps or she wont let youin.”“Also please use real-sounding names.”In 11 threads we learn that the attacker is an insider fromtheir interaction with other users. eetinglinkmeetinglink virtualvirtuallecturelecture lessonlessonclassclasscrashcrash joinjoinwebexwebexmeetingmeeting conferenceconferencepasswordpasswordplzplz collegecollege heyheylinklinkuniversityuniversitycodecode enterenterzoomzoom armyarmygooglegooglepmpm onlineonlineautistautisttrolltroll tardtardspanishspanish attentionattentioncoursecourse anymoreanymorehackhack hellohellotwitchtwitch boreboreteacherteacher spammespammecoronaviruscoronavirus covidcovid raidraidbrotherbrother wonderwonderbtwbtw germangermanposterposter personalpersonalaccountaccountskypeskype gtfogtfo curiouscurioussoftwaresoftwareregularregularstudentstudent involveinvolvebusinessbusinessccpccpdatumdatumrealizerealizeschoolschool micmictiktoktiktok locklockuseuseprogramprogram maymaybruhbruh hothotemailemaillearnlearn purposepurposespywarespyware mapmapuseruser englishenglishseparateseparatebanban hosthostchurchchurch statesstatesregisterregisterinsteadinsteadserviceserviceallowallow nazinazi meetmeettrusttrust searchsearchemployeeemployeedoordoor annexannexduedue agoago noisenoisefaggotfaggotnewfagnewfagpatheticpathetic shillshill boardboardcancelcancelmightmightnamename
Figure 10:
Words and themes associated with zoombombing linkson 4chan. meetinglinkmeetinglink zoomcodeszoomcodesboysboys zoinzoinzoomclassezoomclassegirlsgirlspmpm raidingraidingrandomrandom shitshitjoinjoinansariansarifuckingfuckingstuffstuff zoompickuplineszoompickuplinesfunfunpartyparty mathsmathsfunnyfunny zoomraidszoomraidsfastfastzoomclasscodeszoomclasscodeszoommeetingzoommeetingshareshare zoomclasszoomclassfinishfinish zoomraidzoomraidjoinnnjoinnnzoomzoom raidraidplsplsgooglemeetsgooglemeetsconversationconversation salmasalmaraidsraids todaytodayrooomrooommismis turnturn quickquickzoompartyzoompartyhistoryhistory claswclaswceaabceaabjulietjuliet njysnjysbombbomb schedulescheduleinviteinviteaaaa lavenderlavender ftftmeetingmeetingspamspam wouldwouldokok -PRON--PRON-fuckfuckclassclass whateverwhateverzoomcodeclasszoomcodeclass physicsphysicsenterenterpleasepleasezoomidzoomidpornporntrolltrollvirtualevirtualeclaseclase madisonmadisoncantrellcantrellnamesnameszeuzeu zoommidzoommid zoomcodezoomcodegooglemeetgooglemeethelphelp zoombombzoombombzoombombedzoombombedkbokbo zoomraidingzoomraidingputputzoombombingzoombombingadamadamelseelseyosifyosif asapasapclassroomclassroombruhbruh plzplzayeayemathmathcrashcrash passpassurjurj xdxdzoomcodesszoomcodesszoomclasezoomclase findfindzoommeetezoommeete
Figure 11:
Words and themes associated with zoombombing linkson Twitter. “Same school as you, different major. Someonewrote "NIGGERS" in my zoom class with theannotate function and started a zoom fight.”Together with all information from both meeting links andpost text, we identify 86 out of 123 zoombombing threads on4chan that appear to have been posted by insiders (38/54 forZoom, 35/46 for Google Meet, 8/10 for Cisco Webex, 3/3 forSkype, 0/2 for GoToMeeting, 2/7 for Jitsi, and 0/1 Teams). ForTwitter, we find that 78 out of the 95 zoombombing tweetswere posted by insiders.
Failed calls to attack.
While 100 (out of 123) of our threadsdid start with an invitation to bomb, 46 (out of 100) of thesereceived no further replies. I.e., the call for an attack seemsto have been stillborn. For the threads with replies, 54 (out of77) were started with an invitation to bomb and 23 (out of 77)were created with more general topics of interest (e.g., politics,COVID-19, etc.) which were later converted into bombingthreads. Threads with general topics tend to attract more poststhan bombing threads.
B. Phase II: Coordination
After posting an invite to a zoombombing, attackers coor-dinate to carry it out. To better understand this, we look fortemporal information on when the attack should be carried outin both 4chan threads and tweets.
Crimes of opportunity.
Considering that most of the zoom-bombing links target online classes, and that these occur at regularly scheduled times, there is a question as to how muchpremeditation goes into a bombing attack. On the surface, itseems plausible that attacks could be planned days, and evenweeks in advance. To dig deeper, we looked at the text postedalong with a link and determined whether or not the invite wasfor a live meeting, or one that was scheduled to take place inthe future. I.e., are attackers asking people to bomb right now or planning a bombing that is going to happen later? We foundthat 115 of 123 bombing links on 4chan and 93 of 95 links onTwitter came along with a clear implication that the meetingwas live at the time of posting. We find 8 future links among123 links on 4chan and 2 out of 95 links on Twitter. A futurelink example from 4chan is:“RAID THIS BOOMER Wednesdays 10:00-10:45[INSTITUTIONAL ZOOMURL]”
Refusing to participate.
We find 20 threads on 4chan whereusers openly refuse to join into the attack, calling it unethicalor referring to the fact that 4chan users are not the insider’spersonal army (NYPA – Not Your Personal Army). Thisindicates that not all users on 4chan are willing to participatein these attacks, and is particularly interesting because it is apossible explanation for at least some failed attacks: users donot reply because they reject the idea of being a troll in theservice of another user. eetinglinkmeetinglink
Figure 12:
Words and themes associated with online meeting linkson non-bombing threads on 4chan. meetinglinkmeetinglink livelivevirtualvirtual pmpm zoomzoomlinklink -PRON--PRON- joinjoinpleaseplease thth detaildetailstartstartregisterregister estesttalktalkaprilapril specialspecialheyhey infoinfodigitaldigitalonlineonlinereminderreminderhihi researchresearchreadread marchmarchsessionsessionwebinarwebinar edtedtalongalong groupgroup hourhournoonnoon cocoweeklyweeklygmtgmt wednesdaywednesdaynextnext fridayfridaytuesdaytuesdayscheduleschedule pinpinsundaysundaynationalnationaleasterneasternukuk workshopworkshopptpt etetlivestreamlivestreamjunejune hopehopeststtimetime meetingmeetingpasswordpasswordwouldwouldurlurl phonephoneworkoutworkoutdmdm zoommeetingzoommeetingappapppartypartyparticipateparticipate updateupdatecstcstwatchwatch websitewebsitegogo marmaryogayoga generalgeneralbebe dedethankthanksupportsupport hthtadvanceadvancehearhearchildchildforgetforgetreceivereceive ndnd topictopic centralcentral webwebtrainingtrainingsavesave basebaseclickclickfindfind clubclub tonighttonightdatedatefamilyfamily teamteamlaunchlaunch hallhallwelcomewelcome
Figure 13:
Words and themes associated with online meeting linkson non-bombing tweets on Twitter. “[ZOOMURL]please spam this online class”“I’m not downloading shit”“Nypa faggot”
C. Phase III: Delivery
In this phase, the attackers join the online meeting and begintheir harassing and disruptive actions. As part of our analysis,we find discussion of how the attacks went down in replieswithin the bombing threads on 4chan.
Quick action.
We compare the time interval between whenthe link is posted and the first feedback on the attack. Of 123bombing threads on 4chan, we find 37 with clear feedbackrelated to the bombing. According to this analysis, a zoom-bombing attack finishes within 20 minutes. An example ofattack feedback on 4chan is as follows:19:51:59 “Join a teachers zoom [ZOOMURL]”20:05:18 “What the fuck is this? Who are thesepeople?”20:07:43 “quickly screencap it. They kicked meout instantly.”
Problem feedback.
For 24 threads we find participants re-porting problems with the zoombombing invitation.“Raid our school live call class, i believe in youfaggots. [GOOGLEMEETLINK]”“It says someone has to allow me to join, someshit like that”“this meeting has been locked by the host. Sad!”
D. Phase IV: Harm
Finally, we want to understand the toxic speech that happensduring attacks, together with what actions attackers carry out.
Toxic speech.
We find 14 4chan zoombimbombing threadscontaining toxic content including racism, sexism, or hatefulwords.“[SKYPEURL] Anyone wanna join our onlinelesson? Our teacher is black. Its gonna be in 20mins.”“NIGGER.” “That is absolutely a ‘he’, no matterhow the swine identifies.”“What the fuck, I swear I spotted a beard on thatchin.”n Twitter, we did not find any toxic tweets among the95 zoombombing tweets. However, recall that on Twitter weonly retrieved the call for attacks and do not have any feedback(e.g., the replies to those tweets).
Crime scene feedback.
On 4chan, we find 15 threads con-taining feedback from the zoombombing attack, providing uswith a better view of what happens during these attacks. Hereare some examples:“Hard working he’s probably the kind of teacherwho sits reverse on a chair and is up to date withthe cool kids.”“HAHAHAHA that was great.”“Party’s over my dudes, IT is here shutting downthe stream, we had a good laugh.”“Did you hear me saying nigger?”“Ayone heard me farting.”“Yeah everyone heard and saw the chat and vclmao.”“I didn’t hear that, maybe not loud enough butthere was a bunch of rambling about the numberson screen and then someone started farting and theclass was just dying of laughter.”“Nice bro.”‘Totally lmfao. Best class disruption ever.”VII. D
ISCUSSION
In this paper we have presented a data-driven analysis ofthe emerging phenomenon of zoombombing. Our findingsimprove the understanding of who the people calling forzoombombing attacks are and how they operate. In the fol-lowing, we first discuss the implications of our findings toexisting mitigations against zoombombing, and propose somebest practices to protect online meeting rooms. We then discussthe limitations of our study and some future work directions.
Implications for zoombombing mitigation.
After the risein popularity of online meeting tools, researchers have beenlooking at the privacy risks linked to online meeting [35].At the same time, researchers, law enforcement, and theonline meeting providers themselves have been publishingbest practices to avoid zoombombing [1, 3, 4]. These includenot posting meeting links publicly, protecting meeting roomsto control who can get in, and reducing the capabilities ofparticipants, like muting them upon joining and disablingscreen sharing and screen annotations.The main assumption behind existing guidelines to preventzoombombing is that attackers will find meeting links online,or that they will bruteforce their ID. Given this threat model,protecting meetings with passwords makes sense. However,our findings show that most of the calls for attacks we observecome from insiders. This makes password protection ineffec-tive, because the insider will share the password with the otherattackers. Having participants join a waiting room and vetthem before letting them in can be a more effective mitigation,although it inevitably increases the workload of meeting hosts,requiring moderators specifically checking the meeting room in the case of large meetings. Our analysis however showsthat insiders often share additional information with potentialattackers, for example instructing them to select names thatcorrespond to legitimate participants in the meeting. Thisreduces the effectiveness of a waiting room, because it makesit more difficult for hosts and moderators to identify intruders.Providing a unique link for each participant reduces thechances of success of zoombombing attacks. If the meetingservice still allows multiple people joining with the same link,at least this gives some accountability, since the meeting hostcan identify who the insider was based on the unique linkused by attackers to join. An even better mitigation is to alloweach participant to join using a personalized meeting link. Thisway, as long as the insider joins the meeting unauthorizedpeople will not be able to join using the same link. While thismitigation makes zoombombing unfeasible, not all meetingservices have adopted it. At the moment of writing, only Zoomand Webex allow per-participant links that allow a single userto join at a time. To do this, Zoom requires participants to login, and checks if the unique link is the same that was sent tothat email address as a calendar invite. We encourage othermeeting platforms to adopt similar access control measures toprotect their meetings from insider threats.Additionally, we find that zoombombing attacks usuallyhappen in an opportunistic fashion, with insiders asking othersto join meeting happening in real time. This reduces theeffectiveness of proactive measures like monitoring socialmedia for calls for future attacks.
Limitations and future work.
As any data-driven study,our study is not exempt from limitations. We only have a1% sample of Twitter available, therefore our zoombombingresults on the platform are a lower bound of the actual extenton the problem. Additionally, the API limitations prevent usfrom collecting replies to the zoombombing tweets, allowingus to only get a partial picture of how attacks unfold on theplatform. On 4chan, users are anonymous. We therefore cannottrace per-user behavior, and this prevents us from observingserial offenders calling for multiple attacks over time. Finally,our analysis is limited to calls for attacks and responses tosuch calls on social media, but we are unable to observewhat happens in the actual meeting rooms. Future work coulddevelop alternative study designs that allow analyzing theattack on the online meeting platform itself, for example bycollecting and analyzing recorded online meetings that werebombed, or by interviewing victims of zoombombing. Thiswould also allow a better understanding of the mental andemotional toll that zoombombing victims have to go through.VIII. R
ELATED W ORK
Coordinated malicious activity on social media.
The secu-rity community has extensively studied automated maliciousbehavior on social media, mostly focusing on bots sendingspam [36, 37, 38] and on malicious accounts colluding toinflate each other’s reputation [39, 40, 41]. The mitigationsystems proposed to detect and block this type of activityrely on the fact that these operations are large scale, relyn automated methods, and are carried out by single entities.Therefore, synchronization features can be used to distinguishbetween benign and malicious activity [42, 43, 44]. Alterna-tively, systems have been proposed that identify common traitsin massively created fake accounts, for example an anomalousfraction of followers to friends or a large set of accountscreated around the same time [38, 45, 46, 47, 48].More recently, the community’s focus expanded to lookingat coordinated malicious campaigns that are not carried out byautomated means, but rather by humans controlling a smallnumber of inauthentic accounts. This includes conspiracytheories being pushed on social media [49, 50] and influencecampaigns by foreign state actors [51, 52]. While not asautomated as large-scale bot activity, these campaigns stillshow coordination, which can be leveraged for detection [53].
Coordinated online harassment and aggression.
A closerline of work to the problem studied in this paper looks atcoordinated behavior geared toward harassing victims online.Kumar et al. [9] measure the problem of brigading on Red-dit, where the members of one sub-community ( subreddit )organize to disrupt another community by posting offensivemessages and prevent it from continuing its normal operation.Hine et al. [5] study the activity of 4chan’s Politically Incor-rect Board (/pol/), showing that members of that communityoften call for attacks against people who posted videos onYouTube, ending up harassing the poster in the commentssection of the video. Mariconti et al. [6] develop a multi-modal machine learning system able to predict which videosare likely to receive this kind of hate attacks, in the hope ofaiding moderation efforts.Zannettou et al. [54] investigate a similar phenomenon,studying the effect of posting a URL to a news article on4chan and Reddit. They show that posting URLs to certaintypes of news outlets results in a sudden increase in the hatespeech on the comments to that article.Snyder et al. [55] study the problem of doxing , in whichattackers post information about a victim, calling for peopleto attack that person through multiple media (e.g., on multiplesocial networks or through email), sometimes even transcend-ing to the physical world.Tseng et al. [7] analyze five forums in which miscreantsshare and discuss tools and techniques that can be used to spyon their partners and further harass them.Our work builds on previous research on coordinated ha-rassment by studying the emerging problem of zoombombing.Unlike previously studied threats, we show that zoombombingattacks are often called by insiders; this has important implica-tions when designing security mitigations against the problem.IX. C
ONCLUSION
In this paper, we performed the first data-driven study ofcalls for zoombombing attacks on social media. Our findingsindicate that these attacks mostly target online lectures, andthat they are mostly called by insiders who have legitimateaccess to the meetings. We find that insiders are commonlysharing confidential information like meeting passwords and the identify of real participants in the meeting, making com-mon protections against zoombombing ineffective. We alsofind that calls for zoombombing are usually targeting meetingshappening in real time, making the proactive identification ofsuch attacks challenging. To protect against the threat, we en-courage online meeting services to allow hosts to create uniquemeeting links for each participant, although we acknowledgethat this has usability implications and might not always befeasible. R
EFERENCES [1] B. Brown, “Notes on running an online academic con-ference or how we got zoombombed and lived to tell thetale,”
Interactions
Eleventh International AAAIConference on Web and Social Media , 2017.[6] E. Mariconti, G. Suarez-Tangil, J. Blackburn,E. De Cristofaro, N. Kourtellis, I. Leontiadis, J. L.Serrano, and G. Stringhini, ““you know what to do”:Proactive detection of youtube videos targeted bycoordinated hate attacks,”
Proceedings of the ACM onHuman-Computer Interaction (CSCW) , 2019.[7] E. Tseng, R. Bellini, N. McDonald, M. Danos, R. Green-stadt, D. McCoy, N. Dell, and T. Ristenpart, “The toolsand tactics used in intimate partner surveillance: Ananalysis of online infidelity forums,” in
USENIX SecuritySymposium , 2020.[8] C. I. Flores-Saviaga, B. C. Keegan, and S. Savage,“Mobilizing the trump train: Understanding collectiveaction in a political trolling community,” in
Twelfth In-ternational AAAI Conference on Web and Social Media ,2018.[9] S. Kumar, W. L. Hamilton, J. Leskovec, and D. Jurafsky,“Community interaction and conflict on the web,” in
Proceedings of the 2018 World Wide Web Conference ,2018, pp. 933–943.[10] L. McLean and M. D. Griffiths, “Female gamers’ expe-rience of online harassment and social support in onlinegaming: a qualitative study,”
International Journal ofMental Health and Addiction , vol. 17, no. 4, pp. 970–994, 2019.11] J. Fox and W. Y. Tang, “Women’s experiences withgeneral and sexual harassment in online video games:Rumination, organizational responsiveness, withdrawal,and coping strategies,”
New Media & Society , vol. 19,no. 8, pp. 1290–1307, 2017.[12] S. Hinduja and J. W. Patchin, “Bullying, cyberbullying,and suicide,”
Archives of suicide research , vol. 14, no. 3,pp. 206–221, 2010.[13] J. M. MacAllister, “The doxing dilemma: seeking aremedy for the malicious publication of personal infor-mation,”
Fordham L. Rev.
International Conference on Detection of Intrusions andMalware, and Vulnerability Assessment . Springer, 2019,pp. 67–85.[19] T. Lauinger, K. Onarlioglu, A. Chaabane, E. Kirda,W. Robertson, and M. A. Kaafar, “Holiday pictures orblockbuster movies? insights into copyright infringementin user uploads to one-click file hosters,” in
InternationalWorkshop on Recent Advances in Intrusion Detection(RAID) , 2013.[20] Google. There is no current feature for ’mute all’.[Online]. Available: https://support.google.com/meet/thread/35068017?hl=en[21] Jitisi. There is no current feature for ’mute all’. [Online].Available: https://community.jitsi.org/t/option-to-mute-unmute-participants-by-moderator/15062[22] Google. Mute or remove video meeting participants.[Online]. Available: https://support.google.com/meet/answer/7501121?co=GENIE.Platform%3DDesktop&hl=en[23] A. Nagle,
Kill all normies: Online culture wars from4chan and Tumblr to Trump and the alt-right , 2017.[24] A. Papasavva, S. Zannettou, E. De Cristofaro, G. Stringh-ini, and J. Blackburn, “Raiders of the lost kek: 3.5 yearsof augmented 4chan posts from the politically incorrectboard,” in
International AAAI Conference on Web andSocial Media (ICWSM) , 2020.[25] H. Kwak, C. Lee, H. Park, and S. Moon, “What is twitter,a social network or a news media?” in
Internationalconference on World wide web , 2010. [26] M. Bailey, D. Dittrich, E. Kenneally, and D. Maughan,“The menlo report,”
IEEE Security & Privacy , 2012.[27] C. M. Rivers and B. L. Lewis, “Ethical research standardsin a world of big data,”
F1000Research , 2014.[28] V. Braun and V. Clarke, “Using thematic analysis inpsychology,”
Qualitative research in psychology , vol. 3,no. 2, pp. 77–101, 2006.[29] J. L. Fleiss, “Measuring nominal scale agreement amongmany raters.”
Psychological bulletin , vol. 76, no. 5, p.378, 1971.[30] J. L. Fleiss, B. Levin, and M. C. Paik,
Statistical methodsfor rates and proportions . john wiley & sons, 2013.[31] T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficientestimation of word representations in vector space,”2013.[32] J. Finkelstein, S. Zannettou, B. Bradlyn, andJ. Blackburn, “A quantitative approach to understandingonline antisemitism,”
CoRR , vol. abs/1809.01644, 2018.[Online]. Available: http://arxiv.org/abs/1809.01644[33] V. D. Blondel, J.-L. Guillaume, R. Lambiotte, andE. Lefebvre, “Fast unfolding of communities in largenetworks,”
Journal of Statistical Mechanics: Theory andExperiment , vol. 2008, no. 10, p. P10008, oct 2008.[Online]. Available: https://doi.org/10.1088%2F1742-5468%2F2008%2F10%2Fp10008[34] M. Jacomy, T. Venturini, S. Heymann, and M. Bastian,“Forceatlas2, a continuous graph layout algorithm forhandy network visualization designed for the gephisoftware,”
PLOS ONE , vol. 9, no. 6, pp. 1–12, 06 2014.[Online]. Available: https://doi.org/10.1371/journal.pone.0098679[35] D. Kagan, G. F. Alpert, and M. Fire, “Zooming into videoconferencing privacy and security threats,” 2020.[36] H. Gao, J. Hu, C. Wilson, Z. Li, Y. Chen, and B. Y. Zhao,“Detecting and characterizing social spam campaigns,” in
Internet Measurement Conference , 2010.[37] C. Grier, K. Thomas, V. Paxson, and M. Zhang, “@spam: the underground on 140 characters or less,” in
ACM Conference on Computer and CommunicationsSecurity (CCS) , 2010.[38] D. Yuan, Y. Miao, N. Z. Gong, Z. Yang, Q. Li, D. Song,Q. Wang, and X. Liang, “Detecting fake accounts inonline social networks at the time of registrations,” in
ACM Conference on Computer and CommunicationsSecurity (CCS) , 2019, pp. 1423–1438.[39] E. De Cristofaro, A. Friedman, G. Jourjon, M. A. Kaafar,and M. Z. Shafiq, “Paying for likes? understandingfacebook like fraud using honeypots,” in
Internet Mea-surement Conference (IMC) , 2014.[40] G. Stringhini, G. Wang, M. Egele, C. Kruegel, G. Vigna,H. Zheng, and B. Y. Zhao, “Follow the green: growthand dynamics in twitter follower markets,” in
InternetMeasurement Conference (IMC) , 2013.[41] J. Weerasinghe, B. Flanigan, A. Stein, D. McCoy, andR. Greenstadt, “The pod people: Understanding manipu-lation of social media popularity via reciprocity abuse,”n
The Web Conference , 2020.[42] Q. Cao, X. Yang, J. Yu, and C. Palow, “Uncoveringlarge groups of active malicious accounts in online socialnetworks,” in
Proceedings of the 2014 ACM SIGSACConference on Computer and Communications Security ,2014, pp. 477–488.[43] G. Stringhini, P. Mourlanne, G. Jacob, M. Egele,C. Kruegel, and G. Vigna, “Evilcohort: Detecting com-munities of malicious accounts on online services,” in
USENIX Security Symposium , 2015.[44] Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, andE. Gillum, “Botgraph: Large scale spamming botnetdetection.” in
NSDI , 2009.[45] F. Benevenuto, G. Magno, T. Rodrigues, and V. Almeida,“Detecting spammers on twitter,” in
Collaboration,electronic messaging, anti-abuse and spam conference(CEAS) , 2010.[46] C. A. Davis, O. Varol, E. Ferrara, A. Flammini, andF. Menczer, “Botornot: A system to evaluate social bots,”in
International conference companion on World WideWeb , 2016.[47] G. Stringhini, C. Kruegel, and G. Vigna, “Detectingspammers on social networks,” in
Annual computer se-curity applications conference (ACSAC) , 2010.[48] C. Yang, R. C. Harkreader, and G. Gu, “Die free or livehard? empirical evaluation and new design for fightingevolving twitter spammers,” in
International Symposiumon Recent Advances in Intrusion Detection (RAID) , 2011.[49] K. Starbird, “Examining the alternative media ecosystemthrough the production of alternative narratives of massshooting events on twitter.” in
AAAI International Con-ference on Web and Social Media (ICWSM) , 2017.[50] K. Starbird, A. Arif, and T. Wilson, “Disinformationas collaborative work: Surfacing the participatory natureof strategic information operations,”
Proceedings of theACM on Human-Computer Interaction , no. CSCW, 2019.[51] A. Badawy, E. Ferrara, and K. Lerman, “Analyzingthe digital traces of political manipulation: The 2016russian interference twitter campaign,” in
IEEE/ACM In-ternational Conference on Advances in Social NetworksAnalysis and Mining (ASONAM) , 2018.[52] S. Zannettou, T. Caulfield, W. Setzer, M. Sirivianos,G. Stringhini, and J. Blackburn, “Who let the trolls out?towards understanding state-sponsored trolls,” in
ACMconference on web science , 2019.[53] L. Luceri, S. Giordano, and E. Ferrara, “Detecting trollbehavior via inverse reinforcement learning: A case studyof russian trolls in the 2016 us election,” in
AAAI Inter-national Conference on Web and Social Media (ICWSM) ,2020.[54] S. Zannettou, M. ElSherief, E. Belding, S. Nilizadeh, andG. Stringhini, “Measuring and characterizing hate speechon news websites,” in
ACM conference on web science ,2020.[55] P. Snyder, P. Doerfler, C. Kanich, and D. McCoy, “Fifteenminutes of unwanted fame: Detecting and characterizing doxing,” in