A phishing campaign which impersonates WhatsApp’s voice message feature has been spreading information-stealing malware.
The attack starts with an email claiming to be a notification from WhatsApp of a new private voice message. The email contains a creation date and clip duration for the supposed message, and a ‘Play’ button.
The identity ‘Whatsapp Notifier’ masks a real email address belonging to a Russian road safety organisation. As the address and organisation are real, the messages aren’t flagged as spam or blocked by email security tools. Armorblox, who discovered the scam, believe the Russian organisation is playing a role without realising.
The ‘Play’ button will take the email recipient to a website which then asks them to click ‘Allow’ in an allow/block prompt to ‘confirm you are not a robot’. Once ‘allow’ is clicked, the browser will prompt to install software that turns out to be information-stealing malware.
While there are numerous ‘tells’ that this is a scam, these attacks rely on people missing the signs - perhaps because they are waiting for urgent or exciting news that could well be delivered by a voice message.
The NCSC has published guidance on how to spot and report scams, including those delivered by email and messaging.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to email@example.com. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).