Have you received a random invitation to join a WhatsApp group? Be careful. State-sponsored Russian hackers are using them to trick users into exposing access to their WhatsApp accounts.
The Russian hacking group Callisto, also known as Star Blizzard, was seen using this tactic in November, according to a new report from Microsoft. Callisto, which the US has linked to Russia’s Federal Security Service (FSB), has been known to use phishing emails to gain access to victims’ online accounts. In the past, this has involved impersonating political or diplomatic figures, creating trust, and then sending a phishing email that will direct the recipient to a website controlled by hackers that can steal passwords.
According to Microsoft, the group has since focused on trying to break into WhatsApp accounts, possibly because the FBI has been cracking down on Callisto’s previous hacking activities.
Invitations arrive through emails impersonating US government officials. The apparent purpose has been to target users close to Ukraine’s ongoing war with Russia.
(Credit: Microsoft)
“The initial email sent to targets contains a quick response (QR) code that claims to direct users to join a WhatsApp group for ‘the latest non-governmental initiatives aimed at supporting Ukrainian NGOs,'” says Microsoft . However, the initial QR code is intentionally garbled, likely to force the target to respond.
If the recipient replies, Callisto will send a second email containing a link that will take the user to a page dressed up to look like an official WhatsApp page. The same page will display a QR code and ask the user to scan it using WhatsApp on their phone.
(Credit: Microsoft)
(Credit: Microsoft)
Users may assume that doing this will simply enable them to join the WhatsApp group. But in reality, scanning the QR code opens a path for the hacker to access their WhatsApp account because the QR code is part of an official feature for WhatsApp Web, which allows you to remotely connect your account to a PC.
“This means that if the target follows the instructions on this page, the threat actor could gain access to the messages in their WhatsApp account and have the ability to exploit this data using existing browser plugins,” Microsoft added.
Recommended by our Editors
The good news is that Callisto has since ended its campaign targeting WhatsApp, according to Microsoft. However, the research shows how Russian spies remain persistent in their efforts to deceive potential targets. In the case of Callisto, the group has targeted prominent government organizations, think tanks, journalists and politicians.
Meanwhile, Meta-owned WhatsApp said it is important for users to be careful about its WhatsApp Web feature for connecting devices.
“If you want to link your WhatsApp account to a companion device, you should only do so by going to officially supported WhatsApp services – and not through third-party websites. And no matter which service you’re on, you should only click on links from people you know and trust,” a WhatsApp spokesperson told PCMag.
The app has also published a support document for the feature, which notes that users can see which devices are connected to their WhatsApp account and log out remotely.
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. By clicking the button, you confirm that you are over 16 years of age and agree to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.
About Michael Kahn
Senior reporter
