A phishing campaign impersonating WhatsApp has targeted more than 27,000 mailboxes, according to researchers at Armorblox. It’s not clear who the attackers were, but they used an old version of a road safety operations website belonging to Russia’s Ministry of Internal Affairs, which helped the emails to bypass authentication checks.
“The domain of the email sender was ‘mailman.cbddmo[.]ru,’” the researchers write. “Research from our team suggests the email domain is associated with the ‘center for road safety of the moscow region’ page. According to the website this organization was established to provide assistance to the State Road Safety operations for Moscow and it belongs to the Ministry of Internal Affairs of the Russian Federation. It’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails. The email passed all authentication checks (SPF, DMARC).”
The emails informed recipients that they had received a voicemail on their WhatsApp account, and directed them to click a link in order to listen to it.
“Upon clicking the ‘Play’ link in the email, recipients were redirected to a page that attempts to install a trojan horse JS/Kryptik,” the researchers write. “This is a malicious obfuscated JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit. Once the target landed on the malicious webpage, he or she was prompted to confirm they ‘are not a robot. If the target clicked ‘allow’ on the popup notification in the URL a malicious payload could potentially be installed as a Windows application through a browser Ad service, in order to bypass User Account Control. Once the malware was installed (Infostealer) it can steal sensitive information like credentials that are stored within the browser.”
Armorblox recommends that users slow down and think when they receive unsolicited emails, so they can avoid falling for these attacks. A cognitive speed bump might be in order for this kind of traffic.
“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” the researchers write. “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a WhatsApp link leading to an HTML download? Why is the sender email domain from a third-party organization?).”
So if you were wondering what traffic was like around the Arbat, well, this site might not have been the one to check. New-school security awareness training can enable your employees to thwart phishing attacks.
Here's how it works:
