The voice message feature of WhatsApp has been exploited in a new phishing campaign, aiming to spread information-stealing malware to over 27,600 customer email addresses. The campaign victims would be instructed to follow a sequence of steps that would lead to installing an info-stealer malware into their devices, which the hackers will abuse to steal personal information.
Phishing campaigns remain the most used vector for hackers regarding info-stealing malware propagation. The sensitive data stolen using info-stealers include user credentials found in internet browsers, cryptocurrency assets, SSH (Secure Shell) keys, and personal files inside a computer.
The WhatsApp social messaging app has long been equipped with the voice message feature since it is beneficial for long-distance communication. However, hackers have exploited this feature, intending to spread malware that can steal users’ sensitive data, which they can later use for further attacks.
The threat actors send fake WhatsApp private message notifications to users for the phishing campaign, with an embedded ‘play’ button, a voice message clip duration, and its created time details.
Based on the analysis, the actors behind the fake WhatsApp notification used an email address from the Center for Road Safety of the Moscow Region, which appears to be a legitimate entity that email security solutions fail to flag as suspicious. The security experts presume that the organisation being exploited to run the campaign is unaware of the situation.
Once the victim clicks on the embedded ‘play’ button, a website will appear with a prompt message to allow or block a trojan installation. The victims will then be tricked into clicking “Allow” by another prompt message that requires a ‘not a robot’ confirmation.
Upon clicking “Allow,” the victim will be automatically subscribed to browser notifications, such as scam advertisements and installing the info-stealing malware that could compromise their sensitive data.
Users must be familiar with how to distinguish a phishing email to be able to protect themselves against such threats. Security experts highly advise looking for all signs of fraud upon receiving an unexpected email and always thinking twice before clicking any attached or embedded links.
