WhatsApp phishing email campaign uses voice message alerts as a lure

Information stealing malware dropped when users fall for the phishing emails about WhatsApp voice messages

Net campaign lures people into clicking on malicious links and buttons, so info-stealer malware gets installed

The newest WhatsApp phishing campaign impersonates the voice message feature to spread information-stealing malware. At least 27,655 email addresses were targeted.^[1] Victims can click on links and action buttons on the email alerts and install the data stealer on their machine. The campaign is aiming to trigger particular steps that result in malware infection eventually.^[2]

Phishing campaigns^[3] are often used as a way to spread various malware around. These threats can be anything from keystroke loggers to ransomware. The particular information-stealer is the way for the credential theft, so the obtained information can be later used in secondary campaigns.

This campaign abuses the information on WhatsApp voice messages – the feature first introduced in 2013. The feature is used 7 billion times per day on average.^[4] People fall for the trick since the email is masqueraded as the official email sent from eh WhatsApp informing about the received voice memo, and its duration. The email even includes the Play button with an embedded link to a malicious source.

Notification about a private voice message

The campaign involving these phishing messages with claims about WhatsApp voice messages got discovered by the researchers Armorblox. The team reported that these messages pretend to be notifications from WhatsApp with the details of a new private message on the messaging application.

The email includes the creation time details, clip duration, and the button that should lead to the message directly. The campaign uses the name of the legitimate Whatsapp Notifier service, so the email address is not flagged, and the phishing can go on undetected as other phishing attacks.

The legitimate organizations play a role in cyberattacks without knowledge, and hackers exploit the domain for their own purpose. Clicking on the active Play button triggers the redirect to the website that triggers the JS/Kryptic trojan installation once the person hits Allow button that resembles any push notification of a common ad-supported site.

The payload of the trojan is quickly installed, and the malware can be launched on the machine. These information stealers are aggressively distributed, and phishing is one of the more common methods. Tools are mainly focused on cryptocurrency wallets, SSH keys, and files stored on the computer or mobile phone. This is a serious virus.

Malware moves to smartphones quickly

It is reported that mobile cyberattacks occur five times more often nowadays. These infections are related to data and credential-stealing functions, so mobile malware can obtain passwords and bank credentials and even take full control of the device upon infiltration.^[5]

These campaigns targeting mobile users rely on known vulnerabilities in applications, software, and OS. Malware creators also attempt to send malicious text messages and deliver applications with malicious code that allows these info-stealers to activate silently in the background of the device.

Some of the malicious programs designed to affect mobile devices can not only steal usernames, passwords, or bank account credentials but might have more advanced functionalities allowing the threat to track the location, wipe the information from the machine, record audio, video using the camera of the smartphone or a different mobile device.

Users should pay close attention to mobile messages from unknown sources, and it is important to never click on a link received in the text message. These campaigns can seem legitimate and deliver major malware. Experts warn that any interaction can lead to issues in the future:

It's also vital that you don't respond to strange texts or texts from unknown sources. Doing so will often confirm you're a real person to future scammers.