Voice messages are one of the most popular features of WhatsApp. No wonder this feature is being misused by cybercriminals to spread data-stealing malware through phishing campaigns.
This phishing campaign involving WhatsApp voice messages was discovered by researchers from Armorblox. This phishing attack was not launched directly on the WhatsApp application, but via an email saying that the user received a WhatsApp voice message. So, be careful if you receive an email claiming to be a WhatsApp voicemail notification.
This email contains the 'Play' button as well as a description of the duration and time of the creation of the sound clip. But the email pretended to be from WhatsApp, and originally used an email address belonging to the Center for Road Safety in Moscow, Russia.
Since the email domain used is from a legitimate and genuine entity, this email is not marked as spam or blocked. Armorblox believes this is a case where hackers managed to exploit the domain to promote their malicious campaign.
If the recipient of the email clicks on the 'Play' button in the message, they will be redirected to a server that displays an allow/block request to install the JS/Kryptic trojan.
To trick the victim into clicking 'Allow', the hacker displays a web page stating that the user needs to click 'Allow' to confirm that they are not a robot.
However, once this button is clicked the user is forced to subscribe to browser notifications that send in-browser ads for scams, adult sites, and malware. Not only that, the browser will also force users to install a payload that contains data-stealing malware.
The information stolen by this particular malware is mostly in the form of online account credentials stored in browsers and apps. But this malware also targets crypto wallets, SSH keys, and files on computers, as quoted from Bleeping Computer, Thursday (7/4/2022).
Fortunately, this phishing scam has many red flags indicating that the email the user receives is potentially dangerous. First, the email address is not associated with WhatsApp nor is the URL asking the user to click 'Allow'.
Second, voice messages received on WhatsApp will be downloaded automatically in the app. Remember! WhatsApp never sends notification emails stating that users received voice messages.
Third, this phishing email does not have the WhatsApp logo. This seems to be done so that email can escape the VMC checks introduced by Gmail last year.
To protect yourself from phishing attacks, always watch for signs of fraud when receiving messages with shocking news, such as getting millions of dollars from a Nigerian prince. If you want to check something, do it yourself via an app or official website, and don't follow URLs or instructions in phishing emails.