An unknown threat actor is impersonating WhatsApp over email in an attempt to bait victims into installing a trojan, cybersecurity researchers have warned.
According to a report from Armorblox, the attackers have targeted close to 30,000 endpoints to date, across the healthcare, education and retail sectors, and also managed to bypass Microsoft and Google email security filters.
The report states that the fraudulent emails are coming from the ‘mailman.cbddmo.ru’ domain, which seems to be associated with a government institution in the Moscow region. It is possible, the researchers note, that the attackers exploited a deprecated version of the parent domain to send the phishing emails.
Fake voicemail
The contents of the email itself revolve around a fake WhatsApp voice message. The victim will receive an email saying they’ve received a new private voicemail, and if they want to listen to it, they should click on the Play button provided. Pressing the button redirects the victim to a page that tries to install the JS/Kryptik trojan.
“This is a malicious obfuscated JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit,” the report reads.
After landing on the page, the victim would need to confirm they are “not a robot”, and clicking on the “allow” popup, researchers suggest, could install the malicious payload.
JS/Kryptik can steal sensitive information stored within the browser, such as passwords, the researchers went on to explain.
As usual, all users are warned not to click on links or download attachments from emails that come “out of the blue”, or from suspicious addresses. Email is still the most popular attack vector for threat actors, so users are advised to stay vigilant.
- Protect yourself with the best identity theft protection software right now
