WhatsApp has had the function of sending voice messages to users in groups and private chats, and lately, the feature has been enhanced. Cybercriminals are leveraging this feature, in a new campaign, to ultimately deploy infostealers on the targeted systems.
Diving into details
The phishing campaign directs the target through a few steps whose last step is the installation of the infostealer, paving the way for credential theft. The threat actors have attempted to propagate the malware across at least 27,655 Google Workspace and Microsoft 365 mailboxes. The stolen information lies in the category of account credentials stored in apps and browsers, along with crypto wallets, files in the computer, and SSH keys. Victim organizations belong to the healthcare, retail, and education sectors.
Modus operandi
- The attack pretends to be a WhatsApp notification stating that the user received a new private message. The email contains a “Play” button and details of audio clip duration and creation time.
- The sender impersonates a WhatsApp Notifier service and the email belongs to the Center for Road Safety Moscow Region.
- Armorblox suspects that the hackers somehow abused the domain since the entries are legitimate. Hence, email security solutions don’t block or flag these emails.
- Once clicked Play, the user is redirected to a website that serves a block/allow prompt to install a JS/Kryptic trojan.
WhatsApp remains a favorite target
- URL rendering bugs in WhatsApp, Instagram, iMessage, Facebook Messenger, and Signal allowed threat actors to design legitimate-looking pages for over three years.
- The SharkBot banking trojan resurfaced with capabilities to auto-reply to notifications from WhatsApp and Facebook Messenger to propagate phishing links.
Some phishing stats for you
Phishing attacks are rising across the world. Even with advancements in cyber defense solutions, organizations and individuals alike keep falling prey to these attacks. Here are some harrowing statistics:
- Phishing attacks originating from Russia have surged by eight times.
- Since February, there has been an increase of 231% in phishing attacks targeted at LinkedIn.
- Money recovery scams in Australia have increased by 725%. The first half of the year resulted in a loss of $270,000, which is 301% higher as compared to last year.
The bottom line
Phishing attacks employ a plethora of techniques, including social engineering, brand impersonation, abusing legitimate domains, and replicating existing workflows. Corporate security teams are, ergo, urged to strengthen cloud-native email security with third-party tools, provide training and awareness sessions to employees, and implement MFA and best practices for password management.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_520828501.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a354_shutterstock_193013642.jpg)
