Sneaky WhatsApp Phishing Campaign Lures Victims With Fake Voice Messaging Feature
There are reportedly nearly two billion WhatsApp users globally as of 2021. This is a number that is far too tempting to those with bad intent. A phishing campaign recently impacted nearly 28,000 email accounts by impersonating a notification for a WhatsApp voicemail message.
The phishing campaign utilizes WhatsApp’s existing voice message feature. It notifies the WhatsApp user via email that they have received a private message. The message includes an embedded “Play” button which, if pressed, will lead the user to a website. This website will prompt users to allow or block the installation of a JS/Kryptic trojan. Users are tricked into clicking “allow” because the website requests that users select allow to prove that they are not a robot.
According to Armorblox, once the user has clicked on “allow,” “a malicious payload could potentially be installed as a Windows application through a browser Ad service, in order to bypass User Account Control.” This can then “steal sensitive information like credentials that are stored within the browser.” It is believed that 27,655 email addresses have so far been impacted across Google Workspace and Microsoft 365.
The phishing attack went undetected for so long for several reasons. First, it used an email from the Center for Road Safety of the Moscow Region. This is a legitimate institution and 2 therefore did not recognize the attack for what it truly is. It is believed that the Center for Road Safety of the Moscow Region is unaware of the phishing attack. Second, WhatsApp does not use email notifications. However, the campaign was able to convince victims to click allow because the email itself featured colors and branding similar to the ones WhatsApp uses. Third, WhatsApp recently rolled out an update that improved their voice messaging feature. Users may have therefore been unaware of what was fully included in the update.
There are several ways for one to protect themselves from the attack. One should be suspicious of the email address and website as neither are connected with WhatsApp. As mentioned previously, WhatsApp also never sends email notifications about voice messages. One should therefore be cautious should they receive such a “notification.” Although this phishing campaign uses some WhatsApp colors and branding, there was no official WhatsApp logo. This should once again be a red flag to any WhatsApp users. One should also always look for signs of fraud if they receive an odd email, no matter the topic of the email or its supposed sender.
Second image courtesy of WhatsApp/Meta.
The phishing campaign utilizes WhatsApp’s existing voice message feature. It notifies the WhatsApp user via email that they have received a private message. The message includes an embedded “Play” button which, if pressed, will lead the user to a website. This website will prompt users to allow or block the installation of a JS/Kryptic trojan. Users are tricked into clicking “allow” because the website requests that users select allow to prove that they are not a robot.
According to Armorblox, once the user has clicked on “allow,” “a malicious payload could potentially be installed as a Windows application through a browser Ad service, in order to bypass User Account Control.” This can then “steal sensitive information like credentials that are stored within the browser.” It is believed that 27,655 email addresses have so far been impacted across Google Workspace and Microsoft 365.
The phishing attack went undetected for so long for several reasons. First, it used an email from the Center for Road Safety of the Moscow Region. This is a legitimate institution and 2 therefore did not recognize the attack for what it truly is. It is believed that the Center for Road Safety of the Moscow Region is unaware of the phishing attack. Second, WhatsApp does not use email notifications. However, the campaign was able to convince victims to click allow because the email itself featured colors and branding similar to the ones WhatsApp uses. Third, WhatsApp recently rolled out an update that improved their voice messaging feature. Users may have therefore been unaware of what was fully included in the update.
There are several ways for one to protect themselves from the attack. One should be suspicious of the email address and website as neither are connected with WhatsApp. As mentioned previously, WhatsApp also never sends email notifications about voice messages. One should therefore be cautious should they receive such a “notification.” Although this phishing campaign uses some WhatsApp colors and branding, there was no official WhatsApp logo. This should once again be a red flag to any WhatsApp users. One should also always look for signs of fraud if they receive an odd email, no matter the topic of the email or its supposed sender.
Second image courtesy of WhatsApp/Meta.
