A new WhatsApp phishing campaign has been detected, posing as WhatsApp’s voice message function and attempting to deliver malware to at least 27,655 email addresses.
The goal of this phishing effort is to lead the recipient through a sequence of actions that will eventually lead to the installation of an information-stealing malware infection, allowing credential theft to take place. Today, information-stealing malware is widely transmitted through a variety of channels, with phishing remaining a popular method for threat actors.
Account credentials stored in browsers and applications are the most common data stolen by these special-purpose malware tools, but they also target cryptocurrency wallets, SSH keys, and even files kept on the machine.
As an enticement, WhatsApp voice messages
Researchers from Armorblox, who are always on the lookout for new phishing threats, found the latest WhatsApp voice message phishing threat. WhatsApp has had the ability to send voice messages to members in groups and private chats for years, and the capability was recently updated.
A timed phishing attempt imitates a WhatsApp notification saying that a new private message has been received. This email includes a “Play” button as well as information on the duration and creation time of the audio clip. The spammer, posing as a “Whatsapp Notifier” service, is using an email account associated with the Moscow Region’s Center for Road Safety.
Reproduced from bleepingcomputer.com
Communications are not identified or stopped by email security solutions because this is a genuine and reputable company, which is normally the biggest problem for phishing actors.
Armorblox feels this is an instance of hackers exploiting the domain for their own gain, with the corporation unknowingly playing a part. The recipient is routed to a website that displays an allow/block prompt for installing a JS/Kryptic trojan if they click the “Play” button in the message body. The threat actors offer a web page suggesting that you must click “Allow” to demonstrate you are not a robot to fool the victim into clicking “Allow.”
Clicking these allow buttons, on the other hand, will sign the user up for browser notifications that will send them in-browser adverts for frauds, adult sites, and malware. This basic trick can be quite effective with those who aren’t consciously aware of their online actions or who aren’t thinking twice about them. When the user selects the “allow” option, the browser will prompt them to install the payload, which in this case is data-stealing malware.
The fact that the emails in this campaign bypassed several secure email providers makes it a particularly nasty case, although there were plenty of signs that it was phishing.
First, the email address has nothing to do with WhatsApp, and the landing URL that asks victims to click “Allow” to confirm they are real having the same problem. Both are clearly outside of WhatsApp’s domain space. Second, while voice messages received on WhatsApp are automatically downloaded in the client app, the IM firm will never notify you via email that you have received one. Finally, phishing email lacks the WhatsApp logo, which is probably certainly to avoid problems with Gmail’s VMC checks, which were implemented last year.
To avoid being a victim of phishing, always take your time to investigate potential symptoms of fraud when getting communications that make unusual claims, and never act quickly.
If you need to double-check something, go to the official website or application and do it yourself, rather than relying on URLs or directions in the message.