[REVIEW] : Phishing: Attention, an attack targets WhatsApp users

Trojan horse

But by clicking on this button, the victim is redirected to a website that has nothing to do with WhatsApp, obviously. Once on this website, you are asked to click on “Allow”, in order to verify that you are not a robot. By clicking on this button, the victim will authorize the installation of a Trojan horse. The malware has the ability to identify accounts stored in browsers and on hard drives or the credentials of cryptocurrency wallets.

With this phishing campaign, hackers can therefore obtain cryptocurrencies but also passwords or credit card numbers. The victim will also allow advertisements to appear in the browser, relating to scams, adult sites and malware. What quickly generate income for scammers.

To thwart spam filters, the hackers used an email address from the Center for Traffic Safety of the Moscow region, which was hacked.

Don’t get tricked by this phishing campaign that targets WhatsApp users

If you use WhatsApp, you probably already know that Meta’s messaging service recently announced an update to its app to improve the user experience when it comes to voice messages. This is a significant improvement (or rather a series of improvements) for anyone using this feature.

An email address that would pass certain security checks

The attack is a fairly classic phishing attack. This is an email in which the hackers impersonate WhatsApp and announce to the user that they have received a new voicemail message. The mail also includes a play button.

When the victim presses this button, he is redirected to a site that will try to trick the user into allowing the notifications (the website notifications on the browser). Then, these notifications will be used to send various content, such as scams, adult content, or malware.

Normally, such emails are easily detected by anti-phishing mailbox systems. But what makes this campaign special, besides the fact that it apparently benefits from the launch of something new on WhatsApp, is that it uses a seemingly legitimate email address that spam filters will tend to miss.

“The domain of the e-mail sender was ‘mailman.cbddmo.ru’. Our team’s research suggests that the e-mail domain is associated with the page “center for traffic safety of the Moscow region”. According to the website, this organization was created to provide assistance to state road safety operations in Moscow and belongs to the Ministry of Internal Affairs of the Russian Federation”. “It is possible that the attackers leveraged an outdated or older version of this organization’s parent domain to send the malicious emails. The email passed all authentication checks (SPF, DMARC). »

Don’t be fooled by these scam emails

However, if you are vigilant enough, you should not be fooled by this campaign. This is because the email address, although it passes certain security checks, has no connection to WhatsApp or Meta. On the other hand, if you have been using WhatsApp for a long time, you must already know that the messaging service does not send emails to users when a new message is received.



For a few days now, a brand new scam has been plaguing WhatsApp. A scam highlighted by security researchers, who describe a well-conducted phishing campaign, able to attract the confidence of the victim, who however risks having his bank details stolen, but also possible cryptocurrencies.

The principle is simple: you receive a message from WhatsApp on your email. The latter indicates that you have received a voice message, and the email offers you to listen to it directly from your web browser, without going through the application, by simply clicking on a “Play” button. Obviously, this is a trap, which will activate as soon as the read command has been activated.

Concretely, clicking on “Play” takes the victim to a website, which will ask for a mysterious “Authorization”, in order to verify that it is a real person (and not a robot) for finally being able to listen to this enigmatic voice message. In doing so, the victim will, despite himself, authorize the installation of a trojan horse, which will immediately identify the various registered accounts, as well as the identification data of the cryptocurrency wallets. Sensitive data that will be immediately repatriated to the perpetrators of the scam.

To this will be added many advertisements of all kinds within the web browser, just to generate some precious dollars, which will fall directly into the pockets of hackers. So be wary if you receive a voice message in the next few days.