Russian Spear-Phishing Campaign Targets WhatsApp Accounts



Ransomware Attacks From Within RussiaThe Russian threat actor “Star Blizzard” has launched a spear-phishing campaign attempting to compromise WhatsApp accounts, according to researchers at Microsoft. The operation targets individuals who are involved in providing assistance to Ukraine.

“Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link,” Microsoft says.

“The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement.”

The spear phishing emails contain a broken QR code designed to prompt the user to reply to the email requesting a working link.

“The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on ‘the latest non-governmental initiatives aimed at supporting Ukraine NGOs,’” the researchers write.

“This code, however, is intentionally broken and will not direct the user towards any valid domain; this is an effort to coax the target recipient into responding. When the recipient responds, Star Blizzard sends a second email containing a Safe Links-wrapped t[.]ly shortened link as the alternative link to join the WhatsApp group.”

If the user clicks this link, they’ll be taken to a working QR code designed to take over their WhatsApp account.

“When this link is followed, the target is redirected to a webpage asking them to scan a QR code to join the group,” the researchers write. “However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.

This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Microsoft has the story.


Stop Advanced Phishing Attacks with KnowBe4 Defend

KnowBe4 Defend takes a new approach to email security by addressing the gaps in M365 and Secure Email Gateways (SEGs). Defend helps you respond to threats quicker, dynamically improve security and stop advanced phishing threats. It reduces admin overhead, enhances detection and engages users to build a stronger security culture.

BreachSim LogoWith KnowBe4 Defend you can:

  • Reduce risk of data breaches by detecting threats missed by M365 and SEGs
  • Free up admin resources by automating email security tasks
  • Educate users with color-coded banners to turn risks into teachable moments
  • Continuously assess and dynamically adapt security detection reducing admin overhead
  • Leverage live threat intelligence to automate training and simulations

Request a Demo

PS: Don't like to click on redirected buttons? Cut and paste this link in your browser:

https://www.knowbe4.com/products/defend-demo



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews