Thanks to the Threat Intelligenceteam for their help with this article.
Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountereda fake WhatsApp email with the subject “New Incoming Voicemessage.”
The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters.
Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though—clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.
Prompts like this are also used by malvertiserswhen they want to push ads in front of users.
Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs), and even malware. The ads vary depending on a user’s device and location.
When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top.
The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.
Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?—we won!
This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector, tricks Android users into downloading a payload called “Browser 6.5” which signs them up to receive text messages from premium rate phone numbers, for example.
What to do?
If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changesto its voice message service.)
Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts.
And if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings, click Privacy and Security, click Site Settings, click Notifications, scroll to Allowed to send notifications. Click the “three dots” icon next to the site you want to remove and click Remove.
If you believe you have fallen victim to this scam—or any other—at work, report the incident to your IT or security team.
Stay safe!
