Researchers at Armorblox found a malicious campaign that targeted WhatsApp users. The attackers have reached over 27,660 email addresses through targeted phishing attacks appearing to be from WhatsApp. When receiving attachments over email, you might be tricked by the threat actor into downloading other forms of malicious software. The following sections discuss more details about the latest phishing scheme.
What is Voice Phishing?
Voice phishing, or vishing, has been a growing cyber concern. These scams are carried out by the malicious actor sending a voice note over different media that directs an individual to a webpage. This webpage either encourages them to download applications that can turn out to be malware or asks them to enter their debit or credit card details by offering them a service or product.
These web pages, which is a domain controlled by the attacker, can look genuine enough to fool you unless you are paying close attention to the website’s hyperlink. The malware downloaded by following these voice notes given by the attacker can also store sensitive information, like your financial credentials, or auto-download other applications that can cause harmful changes in your local device.
The Whatsapp Vishing Attack Pattern
Recently, the attackers have started using WhatsApp’s popular messaging application to carry out vishing scams. WhatsApp introduced the voice messaging feature back in 2013, enabling the users to send and receive voice notes from their contacts. Recently this feature received an update where the users can send and receive private messages in group chats. Once someone sends you a private message, you will receive a notification via email about the voice note message and the embedded voice note.
Cybercriminals utilized this feature by disguising themselves as an official WhatsApp notification. They would then send an email from a hacked official account that your email account would not flag. This email would have a “allow browser notification” link embedded in the email that gives you the access to play the voice note directly. The email would also carry the time duration of creating these emails to make them look authentic.
The “allow notification” link embedded in the email would direct you to the domain controlled by the attacker. This domain then prompts the user to click on the “allow the browser to show notification” settings to prove that they are not a robot. Although this is sufficiently triggering for the ones who are careful, the ones who are not careful might fall for the scheme. Once you click on the “allow notification” options, you will receive notifications for adult websites and advertisements. It might also auto-download a payload that can steal your information that the cyber-attacker can use for personal benefit or sell it to someone else.
Impact of Vishing
In 2021 alone, over 50 million American citizens fell victim to vishing scams carried out over calls. The numbers showed the susceptibility of the population to such attacks. The cyber attackers employ clever techniques and social engineering patterns to carry out the phishing scam.
In 2018, Cabel Sasser, founder of Panic Inc., reported almost falling victim to a vishing attack. The cybercriminal had managed to make Sasser reveal his CVV and card pin by pretending to be from his bank.
These attackers use a clever combination of technology and human skills to develop plans that can work best to target individuals. Although most vishing scams are directed toward the general population, some are targeted at specific individuals. These schemes are designed to generate a reaction from the individuals to get them to yield sensitive information like their bank or card details.
Protection From Vishing
- Check Messages Directly: Instead of clicking on links embedded in emails, it is always better to check the messages directly. Although some emails might be genuine, some of them, not just related to vishing but also email phishing, can lead to threat actors launching further cyberattacks using the phishing email as a gateway. So instead of clicking on email links, check your message on the app directly. If you have not received the message now on the app, then there is a high chance that the email containing the WhatsApp notification is dubious.
- Check the sender details: If you have received a WhatsApp email from an address that is not even remotely related to WhatsApp, it would be wise not to click on the link provided in the email.
- Do not give your card/bank details: Even if you receive a note that seems to be from a financial organization, do not reveal your bank details. No financial organization asks for your bank details, CVV, or ATM pin.
- Read the instructions carefully: If you do land on a webpage, read the instructions carefully instead of simply clicking on the options. While clicking on these options, you might click on a harmful link disguised by the cyber attacker, which might download trojans and payloads on your local device.
Although vishing scams are increasing and cybercriminals are coming up with new methods to attack, it is easy to prevent such frauds from becoming successful. One can avoid becoming prey to such attacks and suffering a financial loss with a few simple precautions as given above.