{"id":25691,"date":"2025-01-17T09:10:06","date_gmt":"2025-01-17T17:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2025\/01\/17\/news-19414\/"},"modified":"2025-01-17T09:10:06","modified_gmt":"2025-01-17T17:10:06","slug":"news-19414","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2025\/01\/17\/news-19414\/","title":{"rendered":"WhatsApp spear phishing campaign uses QR codes to add device"},"content":{"rendered":"\n

A cybercriminal campaign linked to Russia is deploying QR codes<\/a> to access the WhatsApp accounts of high-profile targets like journalists, members of think tanks, and employees of non-governmental organizations (NGOs), according to new details revealed by Microsoft<\/a>.<\/p>\n

The group, which Microsoft tracks by the name “Star Blizzard,” is also referred to as Coldriver by other researchers. Last year, the group created impersonation accounts where members posed as experts in a field that their targets might be interested in\u2014or that was somehow affiliated with the target. Once a relationship had been established, the target would receive a phishing link or a document that contained a phishing link.<\/p>\n

But over time, that tactic became widely known, and part of the cybercriminals’ infrastructure was taken down<\/a>. Now, it seems the group has changed tactics and is sending QR codes instead of malicious links to the targets that they have established an initial relationship with.<\/p>\n

These QR codes do not take the target to a malicious website, nor will they join them to the promised WhatsApp group on \u201cthe latest non-governmental initiatives aimed at supporting Ukraine NGOs,\u201d as is claimed in one of the cybercriminal lures. <\/p>\n

In reality, the link in the QR code is intentionally broken. The idea is that the target will respond with a remark about the broken link. When that happens the cybercriminals send out a shortened URL<\/a> to a website that displays another QR code.<\/p>\n

\"obfuscated
Screenshot courtesy of Microsoft<\/em><\/figcaption><\/figure>\n
\n

“I apologize for the inconvenience with the QR code. Kindly try this alternative link: US-Ukraine NGOs Group<\/a>
It should work without any issues.<\/p>\n<\/blockquote>\n

By scanning this QR code and following the instructions on the website they confirm the addition of an extra device to the WhatsApp account of the target. With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.<\/p>\n

How to stay safe<\/h2>\n

These spear phishing campaigns are highly targeted and you\u2019ll probably never see an invite to this group. But cybercriminals tend to copy ideas that work, so you may see them in another form.<\/p>\n

There are a few simple rules that will help you avoid this kind of phishing.<\/p>\n