Threat actors have spoofed WhatsApp voicemail service to target close to 28 thousand mailboxes and steal user credentials.
The Armorblox research team observed a phishing attack that spoofed voice message notifications from WhatsApp on multiple customer tenants across Office 365 and Google Workspace.
Malicious emails were titled “New Incoming Voice Message,” suggesting that the victim had received a new private voicemail from WhatsApp.
The email invited the victim to click on the ‘Play’ button to view the secure message. The Armorblox research suggests that the email domain (mailman.cbddmo.ru) was associated with the Center for Road Safety of the Moscow Region, belonging to the Russian Ministry of Internal affairs page.
“It’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails,” Armorblox said. The email was sent from a valid domain and bypassed Microsoft and Google email security.
Upon clicking “Play,” recipients were redirected to a page attempting to install a trojan horse JS/Kryptik. Once the victim landed on the page, they were asked to confirm they were not robots. If the target clicked “allow,” the malware designed to steal sensitive information was installed.
Armorblox noted that this email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
By spoofing a well-known and secure messaging app, threat actors attempted to build a sense of trust. By allegedly sending a voicemail, they made their victims curious.
“The context of this attack also leverages the curiosity effect, a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something,” Armorblox said.
WhatsApp does not send notification emails, but the email attack replicated workflows that already exist in our daily work lives (getting email notifications of a voicemail).
“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow-through,” Armorblox said.
More from Cybernews:
Subscribe to our newsletter