Attackers Spoof WhatsApp Voice-Message Alerts to Steal Info

Threat actors target Office 365 and Google Workspace in a new campaign, which uses a legitimate domain associated with a road-safety center in Moscow to send messages.

Attackers are spoofing voice message notifications from WhatsApp in a malicious phishing campaign that uses a legitimate domain to spread an info-stealing malware, researchers have found.

Researchers at cloud email security firm Armorblox discovered the malicious campaign targeting Office 365 and Google Workspace accounts using emails sent from domain associated with the Center for Road Safety, an entity believed to reside within the Moscow, Russia region. The site itself is legitimate, as it’s connected to the State Road Safety operations for Moscow and belongs to the Ministry of Internal Affairs of the Russian Federation, according to a blog post published Tuesday.

So far, attackers have reached about 27,660 mailboxes with the campaign, which spoofs WhatsApp by informing victims they have a “new private voicemail” from the chat app and includes a link purporting to allow them to play it, researchers said. Targeted organizations include healthcare, education and retail, researchers said.

The attack “employs a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims,” Armorblox Product Marketing Manager Lauryn Cash wrote in the post.

Those tactics include social engineering by eliciting trust and urgency in the emails sent to victims; brand impersonation by spoofing WhatsApp; the exploitation of a legitimate domain from which to send the emails; and the replication of existing workflows, i.e. getting an email notification of a voice message, Cash explained.

How It Works

Potential victims of the campaign receive an email with the title “New Incoming Voice message” that includes a header in the email body reiterating this title. The email body spoofs a secure message from WhatsApp and tells the victim that he or she has received a new private voicemail, including a “Play” button so they allegedly can listen to the message.

The domain of the email sender was “,” which Amorblox researchers linked to the center for road safety of the Moscow region page–a legitimate site that allows the emails to slip past both Microsoft and Google’s authentication checks, they said. However, it’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails, they acknowledged.

If the recipient clicks the email’s “Play” link, he or she is redirected to a page that attempts to install a trojan horse JS/Kryptik–a malicious obfuscated JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit, according to the post.

Once the target lands on the malicious page, a prompt asks for confirmation that the victim is not a robot. Then, if the victim clicks “allow” on the popup notification in the URL, a browser ad service can install the malicious payload as a Windows application, allowing it to bypass User Account Control.

“Once the malware was installed … it can steal sensitive information like credentials that are stored within the browser,” Cash wrote.

Targeting Unsuspecting Consumers

While the campaign appears to be focused on consumers rather than businesses, it could be a threat to corporate networks if victims take the bait and the malware is installed, one security professional noted.

“The complexity and sophistication of the techniques make it very hard for the average consumer to detect a malicious attempt,” Purandar Das, CEO and co-founder at Sotero, an encryption-based data security solutions company, wrote in an email to Threatpost. “You could potentially see a path where they are able to collect business information once the malware is deployed and active.”

‘Targeting consumers is a successful path for cybercriminals, as people seem to let their guard down more with electronic communication than real-life communication, noted another security professional. The average person often falls for online scams if they are familiar with the social-media platform claiming to be the message sender,” James McQuiggan, security awareness advocate at security firm KnowBe4, wrote in an email to Threatpost.

“When they see it, most people will recognize someone trying to scam them in real life,” he said, citing an example of New York City street merchant trying to sell a passer-by a fake brand-name watch or handbag. “Most people will know they are fake and carry on walking. McQuiggan observed.

However, many people might not recognize an email claiming to have a voicemail from a popular messaging app or another social media platform is a scam and go along with it, he said.

“Users are too accepting of emails,” McQuiggan said. “There needs to be more education for everyone, not just within organizations, to spot electronic social engineering or scams, so it is apparent like someone who is trying to sell a fake watch or handbag on the street.”

Suggested articles