Yaşar Ateş

System and Security Administration Manager

Attackers Imitate WhatsApp Voice Message Warnings to Steal Information

Researchers have discovered that attackers imitate message notifications that comes from WhatsApp of a malicious phishing attack that uses a legitimate domain to spread out a malware who steals information.

Researchers from Armorblox an e-mail security firm, have discovered the malicious attack that is targeting to Office 365 and Google Workspace accounts by using emails sent from the domain associated with the Headquarter for Road Safety, an organization believed to be located in the Russian region. According to a blog writing published on Tuesday, the site itself is legitimate because it’s affiliated with the State Road Safety for Moscow and belongs to the Ministry of Interior of Russian Federation.

As of yet, attackers have reached approximately 27.660 mail boxes with an attack that includes a link let victims play by notifying them that they have “New Incoming Voice massage” from their message app that imitates WhatsApp, researchers said. Targeted organizations include sales of health, education and retail, researchers said.

“The attack uses a series of technics to pass conventional e-mail security filters and the eye tests of victims who isn't suspected ” Lauryn Cash, Chief of Armorblox Product Marketing has written in the post.

These tactics include social engineering by creating trust and emergency in the e-mails, impersonate a brand by imitating WhatsApp, benefiting from a legitimate space from which the e-mails will be sent and duplicating the current work flows (getting the voice message as e-mail notification), Cash stated.

How It Works: 

Potential victims of the attack, receive an e-mail titled as “New Incoming Voice message” and a header that repeats this title in its body. Body of the e-mail, imitates a secure message from WhatsApp and it tells to the victims they have a new voice message including a play button that will allow them to listen to the message.

The domain of e-mail sender, was the “mailman.cbddmo.ru” which is thought to be associated with the Headquarter of Road Safety by the researchers. They said that this is a legitimate site that let e-mails pass the both Microsoft and Google identity verification checks . However, the researchers have accepted that it is likely that parent domain of the organization would be obsolete or using an older version.

According to the post, if receiver clicked on the “Play” link of the e-mail, it is directed to a page that will try to load trojan horse JS/Kryptik. This is a malicious and hidden JavaScript code that directs the browser to a malicious URL and implements a particular exploit embedded to HTML pages.

When the target reached to the malicious page, they’re asked for verification to verify whether they’re a robot. Subsequently, if the victim clicked on “allow” in the popup notification in URL, a browser add service let the load pass the Account Control by downloading it as a malicious Windows app.

“After the malware was downloaded it can steal vulnerable information such as identity that are stored in the browser”, Cash said.

Targeting The Consumers Who's Not Suspected

Although the attack seems like focused on consumers rather than businesses, entrapment of victims and installation of malware might be a threat for corporates networks.

“Complicity and versatility of technics makes hard for average users to detect a malicious attempt.” Purandar Das, co-founder and CEO for Sotero the encryption based data security solutions company, said. “When a malware is deployed or activated you can see a way that enables the attacker to collect business information.”

Another security specialist has said that since people down their guards with the electronic communication rather than the real life communication, targeting the consumers is a successful way for cyber criminals. “The average person often falls for online scams if they are familiar with the social media platform claiming to be the message sender.” James McQuiggan, security awareness advocate for KnowBe4 the security firm, wrote in an e-mail to Threatpost.

“Most people recognize someone who attempted to fraud them, when they saw them in person” he said and cited a passerby New York City street trader trying to sell a fake branded watch or purse as an example. “Most people will recognize those are fake and keep walking” he said.

Whereas most people might not recognize an e-mail that is claiming they have voice message from a popular messaging app or other social media platform as a scam and can get trapped.

“Users trust e-mails so much” McQuiggan said. “In order to indicate electronic social engineering or fraud there supposed be an education for not just organizations also everyone, so that those can be seen as clearly as someone who is trying to sale a watch or a purse in the street.”