Leave your Message after the Beep: WhatsApp Voicemail Phishing Attack from Russia

Lauryn Cash
Written by Lauryn Cash
Threat Research /
Leave your Message after the Beep: WhatsApp Voicemail Phishing Attack from Russia

In today’s Blox Tale, we will look at a phishing attack that spoofs a voice message notification from WhatsApp, an international, mobile messenger application. Clicking the link attempts to install Infostealer malware onto the machine.

The Armorblox research team was able to observe this attack on multiple customer tenants across Office 365 and Google Workspace. The potential total attack exposure was close to 28K mailboxes.


Summary

Mailboxes: ~27, 660

Target: This email attack targeted multiple organizations across healthcare, education, and retail.

Email security bypassed: Office 365, Google Workspace

Techniques used: vishing, drive-by download, social engineering, brand impersonation

The Email

The socially engineered email was titled ‘New Incoming Voicemessage” and included a header in the email body reiterating the email title. The email body spoofed a secure message from WhatsApp and suggested that the victim had received a new private voicemail.

The email invited the victim to click on the ‘Play’ button to view the secure message. A snapshot of the email is given below:

WhastsApp Phishing Email\_ FIG 1

Fig 1: Email spoofing a WhatsApp voice message notification

The domain of the email sender was ‘mailman.cbddmo.ru’. Research from our team suggests the email domain is associated with the ‘center for road safety of the moscow region’ page (see figure 2 below). According to the website this organization was established to provide assistance to the State Road Safety operations for Moscow and it belongs to the Ministry of Internal Affairs of the Russian Federation.

WhatsApp Phishing Attack- FIG 2

Fig 2: Email domain used within phishing attack associated with Russia

It’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails. The email passed all authentication checks (SPF, DMARC).

The Phishing Page

Upon clicking the “Play” link in the email, recipients were redirected to a page that attempts to install a trojan horse JS/Kryptik. This is a malicious obfuscated JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit.

WhatsApp Phishing Attack, popup - FIG 3

Fig 3: Malicious landing page prompting recipients to install trojan horse JS/KryptikFig

Once the target landed on the malicious webpage, he or she was prompted to confirm they “are not a robot”. If the target clicked “allow” on the popup notification in the URL a malicious payload could potentially be installed as a Windows application through a browser Ad service, in order to bypass User Account Control. Once the malware was installed (Infostealer) it can steal sensitive information like credentials that are stored within the browser.

Phishing Flow

The email was sent from a valid domain and bypassed Microsoft and Google email security.

WhatsApp Phishing Attack_phishing flow


Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate communication application (WhatsApp), and a sense of urgency because it claimed the victim has a voice message to listen to - something they would be eager to review. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.

Brand impersonation: The email has HTML stylings and content disclaimers similar to WhatsApp. Although WhatsApp does not send notification emails, the color and branding elements are close enough to compromise an end user.

Exploiting a legitimate domain: The parent domain of the email sender is a legitimate domain - ‘mailman.cbddmo.ru’. This helped the email bypass authentication checks. At the time of writing Armorblox researchers are not able to confirm how the attacker(s) was able to send emails from this domain.

Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily work lives (getting email notifications of a voicemail). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow through.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past the security controls of Office 365, Google Workspace, Exchange, Cisco ESA, and others. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a WhatsApp link leading to an HTML download? Why is the sender email domain from a third-party organization?).

3. Follow multi-factor authentication and password management best practices

If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:

  1. Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  2. Don’t use the same password on multiple sites/accounts.
  3. Use a password management software like LastPass or 1password to store your account passwords.

Learn how Armorblox protects your organization from phishing attacks.

Take Product Tour

Read This Next