A new email phishing campaign that sees threat actors impersonate instant messaging app WhatsApp has been sent to almost 30,000 email addresses.
The phishing attack – which has been observed bypassing email spam filters and unleashing malware on victims’ computers when successful – will find it easier to infect devices without antivirus software installed.
However, employees working in the US and beyond also have to be aware of the tell-tale signs of a phishing attack, as technology can only do so much to protect you.
WhatsApp Phishing Campaign Discovered
Researchers at Armorblox – an email security company that uses Natural Language Understanding to detect suspicious emails – first discovered the WhatsApp impersonators.
The threat actor essentially impersonates WhatsApp in email messages. According to Bleeping Computer, the shady emails contain a “play” button, as well as details about the duration of the audio recording.
To make matters worse, the email address the messages are sent from – which comes up as “WhatsApp Notifier” – is linked to the Center for Road Safety in Moscow. Because this is a legitimate organization, many email spam filters don’t recognize it as unsafe.
If the play button is clicked by a victim, they’ll be redirected to another website. On this page, they’ll be asked to click “Allow” to confirm they aren’t a robot – but taking this action will download the malware onto their device.
Why Whatsapp, Why Now?
Almost all Phishing emails impersonate well-known brands. Understanding exactly why they’re impersonating certain brands – as well as the techniques used whilst doing so – is vital to avoid them.
So, why WhatsApp? Well, like most brands impersonated in phishing attacks, WhatsApp is a reputable, trustworthy company that has over 75 million users in the US. This means, from the threat actor's perspective, a huge number of people may be expecting emails from the messaging platform.
WhatsApp is a brand that many consumers associate with safety rather than danger.
But WhatsApp may have also been picked because of its famous security protections. The entire app is end-to-end encrypted, and parent company Meta has gone to great lengths to advertise its watertight security mechanism. WhatsApp, therefore, is a brand that many consumers associate with safety rather than danger.
WhatsApp also recently added new updates to the voice messaging capabilities of its app – including draft previews, Remember Playback, and Fast Playback on forwarded messages – which might make an email with a voice note “feel” like a normal thing to receive.
How can my Business Avoid Phishing Attacks?
There are a number of different ways you can protect your employees – and in turn, your company – from phishing attacks like this one.
It’s important to attend to this area of cybersecurity considering the average cost of a data breach and the prevalence of info-stealing malware.
Firstly, staff need to be finely attuned to the social engineering techniques used by threat actors in phishing campaigns. Online courses should be taken regularly, mock phishing emails sent out to test employees’ resolve, and telltale signs should be discussed, which include:
- A Sense of Urgency: Is the email demanding you do something hastily in order to save yourself, right a wrong, or avoid consequence? Legit companies won’t do this.
- A Wild Accusation: Is the email accusing you of committing a crime, or owing a bank, business or government agency money? Treat it with caution
- Poor Spelling and Grammar: Phishing emails are obviously not official correspondence, which would typically be proofread and not contain mistakes.
- An Unfamiliar Tone: Is the email unusually informal, or changes tone suddenly? Does it match the tone of legitimate correspondence from the same organization?
Even if you have just an inkling of doubt about whether an email is genuine, you can always open a separate channel of communication with whatever brand the email was purportedly sent by. Remember, with the stakes so high, it’s always, always better to be safe than sorry.