Bad actors are impersonating WhatsApp’s popular feature to scam users.
Packaged in an Email
Researchers said that the bad actors are impersonating WhatsApp voice messages for their phishing campaign. The campaign is so popular now that tens of thousands of users have been tricked.
Armorblox has already detected 27,660 mailboxes that have been affected by the campaign across Microsoft 365 and Google Workspace.
Don’t Click New Incoming Voice Message
The email with the title “New Incoming Voicemessage” is sent to users with a header repeating the email title. The email body mimicked a secure message from the app to deceive users into believing that they received a new private voicemail.
When you open the message, you are encouraged to view the secure message by clicking on the Play button.
Unfortunately, when you look at the email sender, you would find that it was sent by “mailman.cbddmo.ru.” The domain is associated with the center for road safety in the Moscow region.
Armoblox stated that the attackers could have manipulated the old version of the said organization’s parent domain because it passed all authentication checks.
When you click the Play button, though, you will be redirected to a page that installs a trojan horse. It has malicious code embedded in HTML pages.
It redirects the browser to a vicious page. When the users are on the said page, they are asked to confirm that they are not a robot.
A malicious payload could be installed as an application when the users clicked “allow” on the popup notification in the URL.
Once installed, the program could steal sensitive data stored in the browser.
Currently, the campaign targeted healthcare, education, and retail organizations. The campaign is sophisticated because it circumvented the email security filter implemented by Microsoft and Google.
Who is behind the attacks? It’s not clear yet, even though the email sender appeared to be from Russia. It also doesn’t confirm that the bad actors are from Russia. The actors from another country may have taken control of the domain.
This campaign is just one of the phishing attacks that target individuals in the West since the start of the pandemic.
The attacks are spread over email. However, it can also be contained in chat messages over WhatsApp.
To prevent yourself from becoming a victim of this phishing campaign, experts highly recommend installing security software on your devices. Then, it’s imperative to set up two-factor authentication on your online accounts.
Most of all, you should not open attachments or download files sent in emails or DMs, unless you trust the sender.
Armorblox also recommends inspecting the sender name, email address, and language used in the email.
“The email highlighted in this blog got past the security controls of Office 365, Google Workspace, Exchange, Cisco ESA, and others. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection.”Armorblox