• caglararli@hotmail.com
  • 05386281520

Watch out for fake WhatsApp “New Incoming Voicemessage” emails

Watch out for fake WhatsApp “New Incoming Voicemessage” emails

Thanks to the Threat Intelligence team for their help with this article.

Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountered a fake WhatsApp email with the subject “New Incoming Voicemessage.”

The spoofed WhatsApp voicemail notification email. (Source: Armorblox)

The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization, to sneak through mail filters.

Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though—clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow/Block prompt.

Prompts like this are also used by malvertisers when they want to push ads in front of users.

A malvertisers’ Allow/Block prompt

Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs), and even malware. The ads vary depending on a user’s device and location.

When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top.

Malvertisers sign a browser up for notifications

The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.

Malvertising seen through Fiddler
Malvertising using a domain with permission to trigger browser notifications to redirect a user

Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?—we won!

Fake Chrome search contest
The malvertiser’s fake “Chrome search contest”

This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector, tricks Android users into downloading a payload called “Browser 6.5” which signs then up to receive text messages from premium rate phone numbers, for example.

What to do?

If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changes to its voice message service.)

Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts.

and if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings, click Privacy and Security, click Site Settings, click Notifications, scroll to Allowed to send notifications. Click the “three dots” icon next to the site you want to remove and click Remove.

If you believe you have fallen victim to this scam—or any other—at work, report the incident to your IT or security team.

Stay safe!

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails appeared first on Malwarebytes Labs.