A WhatsApp phishing effort has been detected, posing as WhatsApp’s voice message function and attempting to deliver malware to at least 27,655 email addresses. This phishing effort aims to lead the receiver through a sequence of actions that will eventually lead to the installation of an information-stealing malware infection, allowing credential theft to occur.
Today, information-stealing malware is widely transmitted through various channels, with phishing being a popular method for threat actors. Account credentials saved in browsers and programs are the most common data taken by these special-purpose malware tools, but they also target cryptocurrency wallets, SSH keys, and even files kept on the device.
Researchers at Armoblox, who are always on the lookout for new phishing threats, found the latest WhatsApp voice message phishing effort. WhatsApp could send audio messages and private conversations to members in groups for years, and the capability was recently updated.
A timed phishing attempt imitates a WhatsApp notification saying that a new private message has been received. This email includes a “Play” button as well as information on the duration and creation time of the audio clip. The spammer, posing as a “Whatsapp Notifier” service, uses an email account associated with the Moscow Region’s Center for Road Safety.
The communications aren’t identified or stopped by email security solutions because this is a genuine and reputable company, which is usually the largest challenge for phishing perpetrators. Armoblox believes that the hackers have abused the domain to further their goals and that the company is playing a part without realizing it.
The receiver is routed to a website that displays an allow/block prompt for installing a JS/Kryptic trojan if they click the “Play” button in the message body. The threat actors offer a web page suggesting that you must click “Allow” to demonstrate you are not a robot to fool the victim into clicking “Allow.” On the other hand, clicking these accept buttons will sign the user up for browser notifications that’ll send them in-browser adverts for frauds, malware, and adult sites.
This primary method may be quite successful with those who aren’t consciously aware of their online behaviors or aren’t thinking twice about them. When the user selects the “allow” option, the browser will prompt them to install the payload, which in this case is data-stealing malware.