A new WhatsApp phishing campaign impersonating WhatsApp's voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses.
This phishing campaign aims to lead the recipient through a series of steps that will ultimately end with the installation of an information-stealing malware infection, opening the way to credential theft.
Information-stealing malware is aggressively distributed today via various means, with phishing remaining a primary channel for threat actors.
The information stolen by these special-purpose malware tools is predominately account credentials stored in browsers and applications but also targets cryptocurrency wallets, SSH keys, and even files stored on the computer.
WhatsApp voice messages as a lure
The new WhatsApp voice message phishing campaign was discovered by researchers at Armorblox, who are constantly on the lookout for new phishing threats.
For years, WhatsApp has had the ability to send voice messages to users in groups and private chats, with the feature receiving new enhancements last week.
A timely phishing attack pretends to be a notification from WhatsApp stating that they received a new private message. This email features an embedded “Play” button and audio clip duration and creation time details.
The sender, masquerading as a "Whatsapp Notifier" service, is using an email address belonging to the Center for Road Safety of the Moscow Region.
Due to this being a genuine and legitimate entity, the messages aren't flagged or blocked by email security solutions, which typically is the biggest problem for phishing actors.
Armorblox believes this is a case of the hackers having somehow exploited the domain to promote their purpose, so the organization plays a role without knowledge.
If the recipient clicks on the "Play" button in the message body, they are redirected to a website that serves an allow/block prompt for installing a JS/Kryptic trojan.
To trick the victim into clicking on "Allow," the threat actors display a web page stating that you need to click 'Allow' to confirm you are not a robot. However, clicking these allow buttons will subscribe the user to browser notifications that send in-browser advertisements for scams, adult sites, and malware.
This simple trick can be very effective with people who are not consciously aware or thinking twice about their actions online.
Once the “allow” option is pressed, the browser will prompt the user to install the payload, which in this case is an information-stealing malware.
How to protect yourself
The fact that the emails in this campaign bypassed numerous secure email solutions makes it a particularly nasty case, but the clues that it was phishing were still abundant.
First, the email address has nothing to do with WhatsApp, and the same goes for the landing URL that requests the victims to click “Allow” to confirm they’re real. They are both obviously out of WhatsApp’s domain space.
Secondly, voice messages received on WhatsApp are downloaded automatically in the client app, so the IM company would never inform you about receiving one via email.
Thirdly, the phishing email features no WhatsApp logo, which is almost certainly to avoid having trouble with the VMC checks introduced by Gmail last year.
To protect yourself from phishing attempts, always take your time to look into potential signs of fraud when receiving messages that make surprising claims, and never jump into action.
If you need to check something, do it yourself through the official website or application, and never by following URLs or instructions provided in the message.
Comments
quarksec - 2 years ago
@billtoulas there is a little bit of a concern about your writing style WRT infosec. You should aim to be as clear as possible rather than adding fills, adjectives, similes to liven up the information.
Since this information can mean huge things for people, its best to try to present it as clear as possible here are some things i noticed during my first read thru:
you do not begin to outline what the attack is until the second paragraph. you should really try to state the information within the first sentence or two. a brief intro is fine if you want to give some shine to team who discovered and all that but 4-6,8,10 sentences in? thats a bit much.
Next you tend to add unnecessary adjectives and stuff that make the information confusing...
Paragraph two sentence three, where the outline starts you begin by calling it a "timely phishing attack" as oppose to what? a late phishing attack? setting the temporals aside (you could've just used the word new by the way) adding adjectives to bugs like this causes further confusion as new bug variants are released all the time (consider Time based single use password attacks, see where im going?) you can confuse your reader into thinking a whole new subclass of bug has been conventionalized rather than just a recent bug.
Next, nearly immediately after, you mention "phishing attack pretends to be a notification from WhatsApp stating that they received a new private message. This email features an embedded “Play” button" ... So which is it? A notification? Or an email? And if its a notification where or on what device does it appear? Because we're talking about whatsapp the reader is primed to interpret your use of 'notification' as meaning on the phone. But perhaps you mean a new email notification rather than a new whatsapp voicemail notification? So if it is a notification followed by an email be sure to make patently clear that the scenario has clear and separate steps: 'a notification on the phone from whatsapp, followed by an email'... or 'an email notification...'
I appreciate yours and all other journalists work specifically WRT infosec and I only aim to offer some advice on how to make your articles read more clearly to folks less inclined to analysis.
Thank you for this article.
Bill_Toulas - 2 years ago
Thank you for the constructive feedback, and I will keep your points in mind. :)