It’s been quite the year so far when it comes to novel phishing threats as cybercriminals, hackers and fraudsters look to compromise a myriad of accounts. From the use of hidden images in email, to a perpetual hacking attack targeting Google Ads users and even a phish-free phishing attack taking aim at PayPal users. Now WhatsApp’s users are in the threat spotlight as both Microsoft and Malwarebytes warn of a WhatsApp broken link threat being exploited in the wild. Here’s what you need to know.
The Star Blizzard Broken Link WhatsApp Attack Warning
A Russian hacking group known as Star Blizzard has been observed targeting WhatsApp accounts for compromise, according to a Jan. 16 report published by Microsoft Threat Intelligence. This represents a change in tactics for the threat actor, Microsoft said, with it being “the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, and procedures to leverage a new access vector.” This, in and of itself, would be something to worry about. But then you have to throw the fact of how Star Blizzard is targeting WhatsApp users into the mix: a novel broken-link QR code attack.
The QR codes, sent in phishing emails targeting high-value victims, contain QR codes supposedly directing the users to a WhatsApp group they have been invited to join. But unlike most phishing lures, these QR codes will not deliver the victim to a malicious website, or join them to the intended WhatsApp group, Pieter Arntz, a malware intelligence researcher at Malwarebytes, said. “In reality, the link in the QR code is intentionally broken,” Arntz explained in a Jan. 17 Malwarebytes intelligence posting, “the idea is that the target will respond with a remark about the broken link.” This then provides the Star Blizzard hackers with the opportunity to send another link, obscured using link-shortening services, to a site that contains another QR code. Fall for scanning that code, and the target unwittingly adds another device to their WhatsApp account. A device under the control of the attackers.
Mitigating Broken Link WhatsApp Account Compromise Attacks
First and foremost, it would appear that the original Star Blizzard attack campaign, as observed by Microsoft, “appeared to have terminated at the end of November.” This is the good news. The bad news is that doesn’t mean it won’t restart or other threat actors won’t adopt the same tactics, potentially aimed at a much broader audience of WhatsApp users. While the mitigations that Microsoft Threat Intelligence recommends are all geared towards its own users, the Malwarebytes report offers advice for a broader audience:
- Always hover over links before clicking them.
- When you find a shortened URL, think about the possible reason for shortening. Was there a real need to do this or is it just meant to hide the destination? When still in doubt, unshorten the URL.
- When following instructions on a website, scrutinize whether the prompts on your device actually match the expected ones. WhatsApp will double-check whether you want to add a device to the account.
- Double-check whether the sender is who they claim to be through another method of contact.
I have reached out to Meta/WhatsApp for a statement.
