Attackers Imitate WhatsApp Voice Message Warnings to Steal Information

Researchers have discovered that attackers imitate message notifications that comes from WhatsApp of a malicious phishing attack that uses a legitimate domain to spread out a malware who steals information.

Researchers from Armorblox an e-mail security firm, have discovered the malicious attack that is targeting to Office 365 and Google Workspace accounts by using emails sent from the domain associated with the Headquarter for Road Safety, an organization believed to be located in the Russian region. According to a blog writing published on Tuesday, the site itself is legitimate because it’s affiliated with the State Road Safety for Moscow and belongs to the Ministry of Interior of Russian Federation.

As of yet, attackers have reached approximately 27.660 mail boxes with an attack that includes a link let victims play by notifying them that they have “New Incoming Voice massage” from their message app that imitates WhatsApp, researchers said. Targeted organizations include sales of health, education and retail, researchers said.

“The attack uses a series of technics to pass conventional e-mail security filters and the eye tests of victims who isn't suspected ” Lauryn Cash, Chief of Armorblox Product Marketing has written in the post.

These tactics include social engineering by creating trust and emergency in the e-mails, impersonate a brand by imitating WhatsApp, benefiting from a legitimate space from which the e-mails will be sent and duplicating the current work flows (getting the voice message as e-mail notification), Cash stated.

How It Works: 

Potential victims of the attack, receive an e-mail titled as “New Incoming Voice message” and a header that repeats this title in its body. Body of the e-mail, imitates a secure message from WhatsApp and it tells to the victims they have a new voice message including a play button that will allow them to listen to the message.

The domain of e-mail sender, was the “mailman.cbddmo.ru” which is thought to be associated with the Headquarter of Road Safety by the researchers. They said that this is a legitimate site that let e-mails pass the both Microsoft and Google identity verification checks . However, the researchers have accepted that it is likely that parent domain of the organization would be obsolete or using an older version.

According to the post, if receiver clicked on the “Play” link of the e-mail, it is directed to a page that will try to load trojan horse JS/Kryptik. This is a malicious and hidden JavaScript code that directs the browser to a malicious URL and implements a particular exploit embedded to HTML pages.

When the target reached to the malicious page, they’re asked for verification to verify whether they’re a robot. Subsequently, if the victim clicked on “allow” in the popup notification in URL, a browser add service let the load pass the Account Control by downloading it as a malicious Windows app.

“After the malware was downloaded it can steal vulnerable information such as identity that are stored in the browser”, Cash said.