WhatsApp Voicemail Phishing Campaign Distributes Information Stealing Malware

A new WhatsApp phishing campaign has been identified by researchers at Armorblox that has been sent to at least 27,655 email addresses. The emails impersonate WhatsApp and relate to the voice message feature of the instant messaging app to get recipients of the messages to install information-stealing malware. The malware targets passwords stored in browsers and applications, steals cryptocurrency wallets, and can be used to exfiltrate files from an infected computer.

WhatsApp launched voice messaging on the platform in 2013 and recently upgraded this feature to make sending a voice message much more simple. The latest phishing campaign coincides with the announcement from WhatsApp about its upgraded voice messaging feature.

The phishing emails claim that the recipient has received a new voice message, with the messages including a Play button that needs to be clicked to play the recording. The emails have the subject line “New Incoming Voicemessage”, with “WhatsApp Notifier” as the display name of the sender, and the date and time that the voice recording was received in the message body.

The email address used for this campaign uses the official domain of the Center for Road Safety in Moscow, and because this is a legitimate entity, email security solutions typically deliver the messages to inboxes. Researchers at Armorblox suggest the people running this campaign have somehow compromised the official Center for Road Safety domain, cbddmo.ru.

If the play button is clicked, the user will be redirected to a malicious website. The user is given an allow/block prompt, and if allow is clicked the malware will be downloaded. To increase the probability of the user clicking allow, the web page states that the click is required to confirm that the visitor is not a robot. In addition to triggering the malware download, clicking allow will subscribe the individual to browser notifications which could be used for a variety of scams.

While this WhatsApp phishing campaign should be relatively easy for individuals to identify for what it is as there is no company logo in the messages and WhatsApp voice notifications are only delivered through the WhatsApp mobile app. However, the messages are being delivered to inboxes where they can be opened and clicked by the unwary.

The malware delivered in this campaign is an information stealer that can steal browser passwords. Browsers can be used for storing passwords, but for security reasons it is far better to use a password manager, as encrypted passwords in browsers can be stolen and decrypted. There are several password managers that can be used for free.  Bitwarden, for example, has a good free tier for individuals; however, password managers are not usually expensive and are worth the investment for improving security.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news