Threat actors have spoofed WhatsApp voicemail service to target close to 28 thousand mailboxes and steal user credentials.
The Armorblox research team observed a phishing attack that spoofed voice message notifications from WhatsApp on multiple customer tenants across Office 365 and Google Workspace.
Malicious emails were titled “New Incoming Voice Message,” suggesting that the victim had received a new private voicemail from WhatsApp.
The email invited the victim to click on the ‘Play’ button to view the secure message. The Armorblox research suggests that the email domain (mailman.cbddmo.ru) was associated with the Center for Road Safety of the Moscow Region, belonging to the Russian Ministry of Internal affairs page.
“It’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails,” Armorblox said. The email was sent from a valid domain and bypassed Microsoft and Google email security.
Upon clicking “Play,” recipients were redirected to a page attempting to install a trojan horse JS/Kryptik. Once the victim landed on the page, they were asked to confirm they were not robots. If the target clicked “allow,” the malware designed to steal sensitive information was installed.
Armorblox noted that this email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
By spoofing a well-known and secure messaging app, threat actors attempted to build a sense of trust. By allegedly sending a voicemail, they made their victims curious.
“The context of this attack also leverages the curiosity effect, a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something,” Armorblox said.
WhatsApp does not send notification emails, but the email attack replicated workflows that already exist in our daily work lives (getting email notifications of a voicemail).
“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow-through,” Armorblox said.
More from Cybernews:
Russian, Chinese, and Belarusian actors increasingly exploit Ukrainian tragedy for phishing
As tech giants decide to remain in Russia, their employees get eager to protest
Hive ransom gang hacks major US health group
Hidden agenda: Microsoft and Google users targeted by threat actors on free calendar app
How much are you willing to spend not to be homeless in the metaverse?
Subscribe to our newsletter
