The Russian threat actor “Star Blizzard” has launched a spear-phishing campaign attempting to compromise WhatsApp accounts, according to researchers at Microsoft. The operation targets individuals who are involved in providing assistance to Ukraine.
“Star Blizzard’s new spear-phishing campaign, while novel in that it uses and targets WhatsApp for the first time, exhibits familiar spear-phishing TTPs for Star Blizzard, with the threat actor initiating email contact with their targets, to engage them, before sending them a second message containing a malicious link,” Microsoft says.
“The sender address used by the threat actor in this campaign impersonates a US government official, continuing Star Blizzard’s practice of impersonating known political/diplomatic figures, to further ensure target engagement.”
The spear phishing emails contain a broken QR code designed to prompt the user to reply to the email requesting a working link.
“The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on ‘the latest non-governmental initiatives aimed at supporting Ukraine NGOs,’” the researchers write.
“This code, however, is intentionally broken and will not direct the user towards any valid domain; this is an effort to coax the target recipient into responding. When the recipient responds, Star Blizzard sends a second email containing a Safe Links-wrapped t[.]ly shortened link as the alternative link to join the WhatsApp group.”
If the user clicks this link, they’ll be taken to a working QR code designed to take over their WhatsApp account.
“When this link is followed, the target is redirected to a webpage asking them to scan a QR code to join the group,” the researchers write. “However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal.
This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Microsoft has the story.