Sending voice messages to members in groups and private conversations has long been a feature of WhatsApp, and it has recently been improved. In a new effort cybercriminals are using this functionality to install infostealers on the devices they are targeting.
The phishing campaign takes the victim through a series of steps, the final of which is the installation of the infostealer which allows credential theft to take place. At least 27,655 Google Workspace and Microsoft 365 mailboxes have been infected with the virus by the threat actors. The stolen data includes account passwords stored in apps and browsers as well as cryptocurrency wallets, computer files, and SSH keys. The healthcare, retail, and education sectors are the victim organisations.
The attack imitates a WhatsApp notification informing the user that a new private message has been received. The email includes a “Play” button as well as information on the duration and creation time of the audio clip. The sender pretends to be a WhatsApp Notifier service, and the email is from the Moscow Region’s Center for Road Safety. Because the entries are legitimate Armorblox believes the hackers abused the domain in some manner. As a result email security software does not prevent or flag these messages. The user is routed to a website that presents a block/allow prompt to install a JS/Kryptic trojan after clicking Play.
For for over three years URL rendering vulnerabilities in WhatsApp, Instagram, iMessage, Facebook Messenger and Signal allowed threat actors to create legitimate looking pages. The SharkBot banking malware has reappeared, this time with the ability to auto-reply to WhatsApp and Facebook Messenger notifications in order to spread phishing links.
Phishing attempts are on the rise all around the world. Despite advances in cyber defensive systems, organisations and individuals alike continue to be victims of these attacks.
Social engineering, brand impersonation, misusing valid domains and mimicking current workflows are all strategies used in phishing attacks. As a result corporate security teams are recommended to use third-party technologies to increase cloud-native email security, give employee training and awareness sessions, and deploy MFA and best practices for password management.