{"id":18702,"date":"2022-04-07T05:10:21","date_gmt":"2022-04-07T13:10:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/04\/07\/news-12435\/"},"modified":"2022-04-07T05:10:21","modified_gmt":"2022-04-07T13:10:21","slug":"news-12435","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/07\/news-12435\/","title":{"rendered":"Watch out for fake WhatsApp “New Incoming Voicemessage” emails"},"content":{"rendered":"

Credit to Author: Jovi Umawing| Date: Thu, 07 Apr 2022 12:54:27 +0000<\/strong><\/p>\n

Thanks to the Threat Intelligence<\/a> team for their help with this article.<\/em><\/p>\n

Security researchers from Armorblox, a cybersecurity company specializing in email-based threats, have encountered<\/a> a fake WhatsApp email with the subject “New Incoming Voicemessage.”<\/p>\n

\n
\"\"
The spoofed WhatsApp voicemail notification email. (Source: Armorblox<\/a>)<\/figcaption><\/figure>\n<\/div>\n

The sender is “Whatsapp Notifier,” a spoofed name, and an email address using a legitimate domain belonging to a Russian road safety organization<\/a>, to sneak through mail filters.<\/p>\n

Recipients are encouraged to click a “Play” button and listen to their voicemail. That doesn’t happen, though\u2014clicking “Play” directs recipients to a page where Aromorblox found an obfuscated, malicious JavaScript that redirected users to another page. The second page included an exploit, triggered when users responded to an Allow\/Block prompt.<\/p>\n

Prompts like this are also used by malvertisers<\/a> when they want to push ads in front of users.<\/p>\n

\n
\"\"
A malvertisers’ Allow\/Block prompt<\/figcaption><\/figure>\n<\/div>\n

Ads can include (but are not limited to) scam sites, portals for unwanted browser extensions (PUPs<\/a>), and even malware. The ads vary depending on a user’s device and location.<\/p>\n

When we clicked the “Allow” button during our own testing, we were signed up to receive notifications from bingocaptchapoint.top<\/code>.<\/p>\n

\n
\"\"
Malvertisers sign a browser up for notifications <\/figcaption><\/figure>\n<\/div>\n

The domain we had agreed to receive notifications from then used its priveleged position to redirect us to a page with a bogus offer.<\/p>\n

\n
\"Malvertising
Malvertising using a domain with permission to trigger browser notifications to redirect a user<\/figcaption><\/figure>\n<\/div>\n

Ten seconds after subscribing we hit our first ad: A Google Chrome “search contest”. And will you look at that?\u2014we won! <\/p>\n

\n
\"Fake
The malvertiser’s fake “Chrome search contest”<\/figcaption><\/figure>\n<\/div>\n

This is one of many WhatsApp voicemail message scams. Another variant, detailed by Scam Detector<\/a>, tricks Android users into downloading a payload called “Browser 6.5” which signs then up to receive text messages from premium rate phone numbers, for example.<\/p>\n

What to do?<\/h2>\n

If you’re a WhatsApp user, remain vigilant and stay up to date with changes to WhatsApp’s services, so you know how they work. (For example, WhatsApp recently announced six changes<\/a> to its voice message service.)<\/p>\n

Check what you are approving before clicking “Allow” on browser prompts, and use a security tool that can block malicious sites and scripts<\/a>.<\/p>\n

and if you sign up for notifications from a site by accident you can remove it in Google Chrome by following these steps: Open Settings<\/strong>, click Privacy and Security<\/strong>, click Site Settings<\/strong>, click Notifications<\/strong>, scroll to Allowed to send notifications<\/strong>. Click the “three dots” icon next to the site you want to remove and click Remove<\/strong>.<\/p>\n

If you believe you have fallen victim to this scam\u2014or any other\u2014at work, report the incident to your IT or security team.<\/p>\n

Stay safe!<\/p>\n

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Jovi Umawing| Date: Thu, 07 Apr 2022 12:54:27 +0000<\/strong><\/p>\n

Scammers are using the popularity of messaging service WhatsApp to trick users into signing up for malvertising<\/p>\n

The post Watch out for fake WhatsApp “New Incoming Voicemessage” emails<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[25442,25615,25616,25617,10531,2130,251,25618,10510,10440],"class_list":["post-18702","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-armorblox","tag-fake-voicemail","tag-fake-voicemail-notification","tag-lauryn-cash","tag-malvertising","tag-pups","tag-russia","tag-scam-detector","tag-social-engineering","tag-whatsapp"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18702"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18702\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}