Cybercrime is a challenge that has existed for decades. As the need to share information worldwide increases, so are the approaches that cybercriminals are using to steal customer information and exfiltrate it. Today, cybercriminals target Google Workspace and Office 365 using legitimate domain names to send WhatsApp voice messages to clients.
Recently, researchers at Armorblox discovered a malicious cyber operation targeting Google Workspace and Office 365 accounts. Armorbox revealed that the attackers were using emails sent from legitimate website addresses. The criminals used a website belonging to the Road-safety Centre to spread malware through WhatsApp messages. This firm is based in Moscow, Russia, and is connected to the Ministry of Internal Affairs of the Russian Federation. The incoming email was titled ‘New Incoming Voice Message’, and a header reiterated the title. The email body contained a deceiving message from WhatsApp with a link that allows victims to play it.
Techniques used to Launch the Attacks.
Some of the techniques that the criminals are using to get past email security filters include drive-by download, vishing, brand impersonation, and social engineering.
Vishing is a cyber-theft technique in which the attacker leaves a voice message pretending to be from a reputable company to trick victims into giving out personal information such as credit card and bank information. Social engineering is a cyberattack technique involving psychological manipulation. This technique prompts unsuspecting victims to reveal personal or confidential information that criminals use for committing cyber theft. A drive-by download is a technique that attackers use to expose victims to different malware when they unintentionally download malicious codes.
How it Works
According to reports by Armorbox, the attackers have reached out to over 27,000 email users by first gaining their trust and then creating a state of urgency in the messages. The victims receive an email titled ‘New Incoming Voice Message’. The email begins with a header similar to the email title, and the body spoofs a message from WhatsApp that appears genuine to the victims. The email includes a play button that allows the users to listen to the WhatsApp message. This malware quickly got past Google’s authentication checks because the email was from a legitimate domain.
Once the victim clicks on the play link provided, they are redirected to a page installing a Trojan horse titled JS/kryptik. JS/kryptik is a malicious JavaScript code that the attackers have embedded in several HTML pages, which redirects the internet browser to a malicious URL that implements a specific exploit.
Once the victim is redirected to the malicious page, they are prompted to confirm that they are not a robot. Victims that click on the ‘allow’ button on the popup notification window enable the attacker to install malware as a Windows application that bypasses Google 365 and Microsoft User Account Controls. Once the malware is installed, the attackers can steal personal information stored within the net browser.
Attack Targets
The cybercriminals seem to target healthcare organizations, researchers, retail companies, and education institutions. However, there is a great possibility that corporate networks and consumers could be at risk too. The complexity of the techniques used to trick victims could make it hard for average consumers to detect the malware. The malware could collect business information as soon as it has been deployed and activated. If customers are unfamiliar with social-media platforms or unable to recognize emails claiming to have messages impersonating popular brands, they could easily fall for the fraud.
Consumers of free streaming services are particularly exposed to malware risk through the drive-by download technique. If an unsuspecting victim clicks on a suspicious link while downloading their movies or series, there is a considerable likelihood that they will download malware because about a third of illegal streaming websites are exposed to malware. Although securing your connection using VPN may not protect you from downloading malware, a good VPN such as CyberGhost can give you access to authentic streaming services like Disney+, Netflix, and Amazon Prime, thereby reducing the chances of downloading malware. Furthermore, CyberGhost VPN is also available for Samsung TV to help Samsung users bypass all geo-restrictions online. But in addition to these measures, it is advisable to regularly update your operating system to protect yourself against new vulnerabilities. It is also good to monitor your log reports periodically to pick up any signs of malware.
Although many internet users are becoming more aware of cyber threats, many people are still unable to detect fake emails that could expose them to malware. There is, therefore, a need for educating internet users on how to spot social engineered messages sent through emails to prevent the spread of such emerging cyberattacks.