Threat players target Office 365 & Google Workspace in a new campaign, which uses a legitimate domain associated with a road-safety centre in Moscow to send messages.
Attackers are spoofing voice message notifications from WhatsApp in a malicious phishing campaign that uses a legitimate domain to spread an info-stealing malware, researchers have found.
Researchers at cloud email security firm Armorblox discovered the malicious campaign targeting Office 365 & Google Workspace accounts using emails sent from domain associated with the Centre for Road Safety, a body believed to be based within the Moscow, Russia region.
Russian Federation
The site itself is legitimate, as it’s connected to the State Road Safety operations for Moscow and belongs to the Ministry of Internal Affairs of the Russian Federation, according to a blog post published Tues.
As yet, attackers have reached about 27,660 mailboxes with the campaign, which spoofs WhatsApp by informing victims they have a “new private voicemail” from the chat app & includes a link purporting to allow them to play it, researchers revealed. Targeted organisations include healthcare, education & retail, researchers stated.
Social Engineering
The attack “employs various techniques to get past traditional email security filters & pass the eye tests of unsuspecting victims,” Armorblox Product Marketing Manager Lauryn Cash wrote.
Those tactics include social engineering by gaining trust & urgency in the emails sent to victims; brand impersonation by spoofing WhatsApp; the exploitation of a legitimate domain from which to send the emails; & the replication of existing workflows, i.e. getting an email notification of a voice message, Cash explained.
How It Works
Potential victims of the campaign receive an email with the title “New Incoming Voice message” that includes a header in the email body reiterating this title. The email body spoofs a secure message from WhatsApp and tells the victim that he or she has received a new private voicemail, including a “Play” button so they allegedly can listen to the message.
The domain of the email sender was “mailman.cbddmo.ru,” which Amorblox researchers linked to the Centre for Road Safety of the Moscow Region page–a legitimate site that allows the emails to get past both Microsoft & Google’s authentication checks, they explained.
However, it is possible that attackers exploited a deprecated or previous version of this organisation’s parent domain to send the malicious emails, they stated.
Trojan Horse
If the recipient clicks the email’s “Play” link, he or she is redirected to a page that attempts to install a trojan horse JS/Kryptik–a malicious hidden JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit, according to the post.
Once the target lands on the malicious page, a prompt asks for confirmation that the victim is not a robot. Then, if the victim clicks “allow” on the popup notification in the URL, a browser ad service can install the malicious payload as a Windows application, allowing it to bypass User Account Control.
“Once the malware was installed … it can steal sensitive information like credentials that are stored within the browser,” Cash wrote.
Corporate Networks
While the campaign appears to be focused on consumers rather than businesses, it could be a threat to corporate networks if victims take the bait & the malware is installed, one security professional noted.
“The complexity & sophistication of the techniques make it very hard for the average consumer to detect a malicious attempt,” Purandar Das, CEO & co-founder at Sotero, an encryption-based data security solutions company, wrote. “You could potentially see a path where they are able to collect business information once the malware is deployed and active.”
Targeting Consumers
‘Targeting consumers is a successful path for cyber-criminals, as people seem to let their guard down more with electronic communication than real-life communication, noted another security professional. The average person often falls for online frauds if they are familiar with the social-media platform claiming to be the message sender,” James McQuiggan, security awareness advocate at security firm KnowBe4, wrote.
“When they see it, most people will recognise someone trying to scam them in real life,” he outlined, citing an example of New York City street merchant trying to sell a passer-by a fake brand-name watch or handbag. “Most people will know they are fake & carry-on walking. McQuiggan observed.
Social Media
However, many people might not recognise an email claiming to have a voicemail from a popular messaging app or another social media platform is a scam & go along with it, he explained.
“Users are too accepting of emails,” McQuiggan claimed. “There needs to be more education for everyone, not just within organisations, to spot electronic social engineering or scams, so it is apparent like someone who is trying to sell a fake watch or handbag on the street.”
