WhatsApp logo

Iranian cybercriminals are targeting WhatsApp users in spear phishing campaign

An Iranian state-sponsored group often referred to as Iran’s Islamic Revolutionary Guard Corps (IRGC) is making headlines again this season as Meta disclosed that the cybercriminals targeted WhatsApp users in Israel, Palestine, Iran, the UK, and the US.

Other names for this group—depending on the vendor– are APT42, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda.

Earlier the group was linked to disinformation campaigns around the US elections in a Microsoft threat report, Google research findings, and when OpenAI banned accounts linked to an Iranian influence operation.

It is no surprise that nations like Iran have an interest in influencing elections in the US and the targets in this campaign also included staff members of President Joe Biden and former President Donald Trump.

Meta blocked a small cluster of WhatsApp accounts posing as support agents for tech companies. These accounts used social engineering against political and diplomatic officials, and other public figures. This type of attacks is called spear phishing, as it involves highly targeted phishing attempts.

The fake accounts linked to the Iranian group posed as technical support for AOL, Google, Yahoo, and Microsoft.

The APT in APT42 stands for advanced persistent threat (APT), which signifies a prolonged, aimed attack on a specific target with the intention to compromise their system and gain information from or about that target.

This is exactly the kind of group that you will see involved in spear phishing attacks, that target individuals to collect information about them, or manipulate them into revealing information about their occupation, or compromise their devices and accounts so they can spy on them.

There is no evidence that this group managed to compromise any accounts and Meta praises the targets that reported these suspicious messages using the in-app reporting tools, so WhatsApp could launch an investigation and disrupt the campaign.

Phishers often use technical support accounts in phishing attempts because people tend to trust them with information if they happen to be a customer of the company that the “support agent” claims to represent.

WhatsApp users should remain on the lookout for unsolicited contacts and messages.

  • If a message looks suspicious, comes unsolicited, or sounds too good to be true, don’t tap, share, or forward it. Don’t become part of a misinformation campaign.
  • Always inspect links and attached files thoroughly before opening them. Ask the known sender through other means what it’s for.
  • Do not engage in conversations when you are not sure who the sender is. Even the fact that you respond to them will tell them this is a way to reach you and might lead to more attempts.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.