A new cyber exploit doing the rounds of late reportedly involves impersonation of an e-mail based WhatsApp notification, sent targeting Microsoft Office 365 and Google Workspace enterprise users. The scam seemingly uses a legitimate domain that belongs to a road safety division of Moscow, Russia in order to bypass the usual e-mail security filters, and once users click on the notification, redirects them into downloading malware on to their Windows PCs.
The entire process involves multiple tactics such as tricking users into believing that the email has come from a legitimate source. The usage of the Russian road safety authority’s domain in this case allows the scammers to pass their emails through enterprise security filters that have gotten better at detecting dubious web addresses.
The notification uses legitimate-looking WhatsApp graphics to urge users to play their voice message. Once a user clicks on this, they are redirected to a page that asks them to verify their identity. This page is the disguised download button, which then loads the malware on to users’ devices.
The flaw was discovered by cloud email security service provider, Armorblox. According to the firm, the attackers have reached out to over 27,000 mailboxes primarily in the healthcare, education and retail sectors. It’s not clear as to what the success rate has been for this scam, and if the hackers are after specific targets. It’s also not clear if the hackers are targeting any particular region, but enterprise users are the clear target base for this.
As per present analysis, the attack is a social engineering effort in order to scan users’ PCs for credit card or relevant credentials for financial and identity theft, which in today’s cyber security parlance represent common occurrences. What’s alarming to note here is the bypassing of email security filters by using a legitimate URL, which could well become an increasing factor in bulk mail scams going forward.