{"id":23263,"date":"2023-10-30T16:13:00","date_gmt":"2023-10-31T00:13:00","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16993\/"},"modified":"2023-10-30T16:13:00","modified_gmt":"2023-10-31T00:13:00","slug":"news-16993","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16993\/","title":{"rendered":"Hong Kong residents targeted in malvertising campaigns for WhatsApp, Telegram"},"content":{"rendered":"\n

Malvertising is a powerful malware or scam delivery mechanism that makes it easy to target specific geographies or even users. A recent article<\/a> from the South China Morning Post discussed an increase in malicious webpages for the popular WhatsApp communication tool, driven via malicious Google ads. The paper described how these ads appeared to be exclusively targeted at people from Hong Kong and have caused losses of about USD$300K last month.<\/p>\n

We started investigating this situation and were able to identify what may be a similar campaign. The decoy sites we saw used a similar page than the web version of WhatsApp to trick victims into scanning a QR code to link their new device. Instead, it wasn’t the user’s device that was added to the WhatsApp account, but rather the threat actor’s.<\/p>\n

We also found another campaign using an ad for messaging tool Telegram, to lure victims into downloading a malicious version of the program. Again, this attack was targeted at residents of Hong Kong.<\/p>\n

We have reported the malicious ads to Google and worked with partners to take down the infrastructure used in these campaigns.<\/p>\n

Malicious WhatsApp ad leads to QR code page<\/h2>\n

Just like the South China Morning Post stated that users were seeing malicious ads for WhatsApp, we were able to find one immediately after switching our online profile to use a Hong Kong IP address:<\/p>\n

\"\"<\/figure>\n

The text of the ad reads as follows (translated from Chinese):<\/p>\n

WhatsApp New Version – WhatsApp Official Authorization<\/em><\/p>\n

We are constantly updating and launching various fun and interesting functions as well as safe and reliable communication applications. Welcome to download and experience it. The cross-platform application brings you a reliable experience, and you can send private messages to your friends at any time.<\/em><\/p>\n

Clicking on the ad leads to a convincing lookalike site in Chinese that pretends to be WhatsApp Web:<\/p>\n

\"\"<\/figure>\n

What’s interesting, and works well as a lure, is the fact that WhatsApp is not just a mobile phone app, but does indeed have a web version for computers as well. The real domain for it is hosted at web.whatsapp.com<\/a> and also uses a QR code to add a linked device to your account. What this means is that you can use WhatsApp on your PC or Mac after you scan the QR code and authorize that new device from your phone.<\/p>\n

The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp:<\/p>\n

\"\"<\/figure>\n

The domain used to generate those QR codes (lawrencework[.]com) was registered just two days ago. A search<\/a> on urlscan.io reveals that it is associated with several other fake WhatsApp pages. We tested the QR code by adding it from a burner phone with a brand new WhatsApp account without any previous linked devices. A few seconds later, we saw a new device was added (Google Chrome running on Mac OS):<\/p>\n

\"\"<\/figure>\n

While we could not get more information (IP address, geolocation) about this new device, we knew it was not ours. When you link a new device<\/a> to your WhatsApp account, the saved chat history is synced to it. This means that an attacker can essentially read your entire past and future conversations and has access to your saved contacts.<\/p>\n

\"\"<\/figure>\n