Online church services attacked by hackers using child pornography
On Sunday, April 26, Pastor Kris Cervantes of the Unitarian Universalist Fellowship in Waco, Texas, was partway through her Zoom church service when the unthinkable happened.
The screen featuring the main speaker was suddenly overtaken with a GIF of child pornography, an act that has been dubbed “zoombombing.”
“It was so confusing for a split second, it just didn’t make sense to the brain – it was so out of the realm of normalcy,” Cervantes told Fox News. “My first reaction was just to cover the screen and I thought if I did that, none of my fellow congregants would see it either.”
But the ensuing action was swift. The images, she said, lasted around 12 seconds onscreen before the shocked administrators were able to quickly pull them down.
“Afterwards, we all had to really take a deep breath. It was such a violation of that child and there is this feeling that we were attacked physically,” Cervantes explained of the aftermath, which continues to haunt the congregation, of which 20 families were exposed to the onslaught. “The image was so distressing and shocking; it has been hard to function.”
The pastor explained that the user who “bombed” them with the illegal pornography went by the name “Kristina” and although they were not familiar with that person as they were admitting churchgoers into the Zoom session, their policy – like the open doors of their House of Worship – is to welcome all.
“While the larger churches are used to online services, for the smaller and midsized, it has been new,” Cervantes continued. “We still want to be able to be a church with a door open to all.”
However, the assault has brought about some changes. In the ensuing days, church officials have sought extra cybersecurity assistance and learned how to improve their own privacy settings. Furthermore, the matter was immediately turned over to the authorities and remains under investigation by the Waco Police Department.
“This incident is truly devastating and appalling and our user policies explicitly prohibit any obscene, indecent, illegal or violent activity or content on the platform. We are looking into this specific incident to ensure the appropriate action is taken,” a Zoom spokesperson told Fox News. “Zoom strongly condemns such behavior and recently updated several features to help our users more easily protect their meetings.”
As the protracted pandemic has prompted churches across the country to conduct their services online for the last two months, this fellowship is not the first congregation to have been infiltrated by such an online assailment.
“We aren’t even the first Church in Waco I have heard of this happening to,” Cervantes said.
Similarly, Billings First Congregational Church in Montana contacted the FBI in March after its video worship was overtaken by “someone who then broadcast a criminal act against a child,” the Billings Gazette reported. Churchgoers in Oakland, Calif., have also alleged to have been victim to such incomprehensible hijackings, as have those in the United Kingdom.
Moreover, one of the oldest churches in San Francisco, Saint Paulus Lutheran Church, filed a lawsuit on Wednesday against Zoom, alleging that on May 6 a hacker overran a virtual Bible study class and played “sick and disturbing” videos of child abuse, disabling the computers’ control systems while the graphic footage was displayed.
The church leadership claims in its suit that it reached out to the tech giant for assistance, but they failed to act and that the violator was a “known offender” who had already been reported to law enforcement on multiple occasions.
In a statement to the BBC, a Zoom spokesperson lamented the “horrific event” and insisted that after learning of the incident, they immediately “identified the offender, took action to block their access to the platform and reported them to the relevant authorities.”
However, churchgoers – mostly pensioners – are said to be scarred by what happened and have also sought external trauma counseling.
“Zoom’s inadequate security allowed a known offender to Zoombomb Saint Paulus’s weekly bible-study class with video footage of pornography and child abuse. This violation of the church’s sanctity was a direct result of Zoom prioritizing profit over user security,” a lawyer for the church, Albert Chang, told Fox News. “Saint Paulus looks forward to proving its case in court on behalf of all victims of Zoom’s deceptive business practices and holding Zoom accountable for its misconduct.”
The deeply disturbing – and rising – number of incidences come as much of the country has been compelled into lockdown and to interact more and more on Zoom. The platform has surged in popularity as a pivotal communication tool – but has also fallen under sharper scrutiny over its security.
The company says it has subsequently undertaken several steps to patch weaknesses in its defenses and last week it announced the acquisition of Keybase, a company specializing in end-to-end encryption, to help in further securing its video chat.
The Zoom spokesperson also told Fox News that the company has enabled a host of changes, including making meeting passwords and virtual waiting rooms default for users enrolled in its K-12 program school program, as well as its Free Basic and Single Pro users and for all users have made the Zoom Meeting ID less visible to help prevent unintended sharing and it has added a new security icon to the meeting controls for hosts to quickly access in-meeting security features, including the ability to remove participants and lock meetings, among other actions.
“In the latest version of Zoom, there is a new ‘report a user’ feature in the Security icon for meeting hosts and co-hosts to flag users, who are misusing the platform, to our trust and safety team,” the spokesperson continued. “We encourage users to report any incidents of this kind either to Zoom so we can take appropriate action or directly to law enforcement authorities.”
Chris Hadnagy, the founder of Innocent Lives Foundation, which offers free cybersecurity training sessions for educators and nonprofits, pointed out that it is crucial to understand that Zoom and other video-conferencing technologies are reasonably secure for the average user.
“These attacks often happen not because of insecurities in the product, but rather because of ‘user error,’ like sharing the meeting link publicly,” he explained. “Churches, universities and schools are easy targets mostly because they have a large and public audience and therefore they often post the connection details and links in public formats.”
However, Hadnagy stressed that churches could also be a tempting target for ideological reasons.
“There is also a ‘shock value’ with attacking a church meeting and forcing the meeting participants to view graphic pornography or abuse imagery and that is what many of these attackers are looking for,” he noted. “Some are doing it for the thrill while others are more devious in their thinking and just want to create chaos and pain.”
Edward Peters, founder and CEO of Data Discovery Sciences, concurred that not only can meetings be password protected but controls can be set to disallow anyone to join who has not been authenticated by the meeting host.
“Zoom allows a range of options here to make sure only those who are invited are allowed to enter the session, but this requires the host to perform some duties they may not be used to doing, especially if they are casual users,” he explained.
And Topher Tebow, cyber security analyst at Acronis, cautioned that Zoom is hardly the only web platform being exploited by such alarming and illegal hacks.
“While Zoom is the platform that became known for the concept of Zoombombing, any video conferencing platform can be a target of this type of attack,” he added. “Zoom is an attractive platform to attackers, due to its large user base; however, Zoom is definitely not the only widely used video collaboration platform out there. Any similar platform must take steps to protect its users from this type of attack.”