Info-Stealing Malware Pushed Through WhatsApp Messages
Voice Messages Are Being Used as a Lure.
Last updated on April 5, 2022
Phishing is a malicious technique used by cybercriminals to gather sensitive information (credit card data, usernames, and passwords, etc.) from users.
The attackers pretend to be trustworthy entities to bait the victims into trusting them and revealing their confidential data.
The data gathered through phishing can be used for financial theft, identity theft, gaining unauthorized access to the victim’s accounts or to accounts they have access to, blackmailing the victim, and more.
Attempts have been made to disseminate information-stealing malware to at least 27,655 email addresses via the use of a new WhatsApp phishing campaign that impersonates the voice message function of the messaging app.
By sending this phishing campaign, the sender hopes to guide them through a series of actions that will eventually result in the installation of an information-stealing malware infection, paving the way for credential theft.
Information taken by these malware programs is mostly account credentials saved in browsers and apps, but it also includes cryptocurrency wallets and SSH keys, as well as information from files kept on the victim’s machine.
Researchers from Armorblox were the ones who identified the latest WhatsApp voice message phishing effort.
The context of this attack also leverages the curiosity effect, a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow-through.
WhatsApp has had the ability to send audio messages to users in groups and private conversations for some years, and the service recently received some refinements as a result of new developments.
As BleepingComputer reports, a timed phishing attack poses as a notice from WhatsApp, informing the victim that they have received a new private message from a friend. This email contains an embedded “Play” button as well as information on the length and creation time of an audio clip.
Using an email address associated with the Center for Road Safety of the Moscow Region, the sender is impersonating a “Whatsapp Notifier” service and pretending to be from that organization.
Being a real and authentic company, the communications are not identified or banned by email security solutions, which is often the most difficult obstacle for phishing actors to overcome.
Upon clicking on the “Play” button in the message body, the receiver is led to a website that presents an allow/block prompt for downloading a malicious Java/Kryptic trojan.
In order to deceive the victim into clicking on “Allow,” the threat actors create a web page that states that you must click on “Allow” in order to authenticate that you are not a robot. The user will be subscribed to browser alerts that will transmit in-browser adverts for frauds, pornographic sites, and malware, if they choose to click on these, enable buttons, though.
Once the “accept” option is selected, the browser will ask the user to install the payload, which in this instance is a virus that steals sensitive information from the computer.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.