Microsoft warns WhatsApp users to beware of broken link attacks.
It’s been quite a year so far when it comes to new phishing threats as cybercriminals, hackers and fraudsters look to compromise a host of accounts. From using hidden images in emails, to a persistent hacking attack targeting Google Ads users and even a non-phishing phishing attack targeting PayPal users. Now WhatsApp users are in the threat spotlight as Microsoft and Malwarebytes warn of a broken WhatsApp connection threat being exploited in the wild. Here’s what you need to know.
Star Blizzard Broken Link WhatsApp Attack Warning
A Russian hacker group known as Star Blizzard has been spotted targeting WhatsApp accounts for compromise, according to a January 16 report published by Microsoft Threat Intelligence. This represents a change in tactics for the threat actor, Microsoft said, being “the first time we have identified a change in Star Blizzard’s legacy tactics, techniques and procedures to exploit a new access vector.” That, in itself, would be something to worry about. But then you have to throw the fact that Star Blizzard is targeting WhatsApp users into the mix: a new QR code attack with broken links.
The QR codes, sent in phishing emails targeting high-value victims, contain QR codes that purportedly direct users to a WhatsApp group they’ve been invited to join. But unlike most phishing lures, these QR codes won’t send the victim to a malicious website or join them with the target WhatsApp group, said Pieter Arntz, a malware intelligence researcher in Malwarebytes. “In reality, the link in the QR code is intentionally broken,” Arntz explained in a Jan. 17 Malwarebytes intelligence post, “the idea being that the target will respond with a broken link warning.” This then offers the Star Blizzard hackers the ability to send another link, obfuscated using link shortening services, to a site containing another QR code. It falls to scan that code and the target unwittingly adds another device to their WhatsApp account. A device under the control of attackers.
Mitigating Broken Link WhatsApp Account Compromise Attacks
First and foremost, it appears that the original Star Blizzard attack campaign, as Microsoft noted, “appears to have ended in late November.” This is the good news. The bad news is that doesn’t mean it won’t happen again or that other threat actors won’t adopt the same tactics, potentially targeting a much wider audience of WhatsApp users. While the mitigations that Microsoft Threat Intelligence recommends are all aimed at its own users, the Malwarebytes report offers advice for a wider audience:
- Always hover over links before clicking them.
- When you find a shortened URL, think about the possible reason for the shortening. Was there really a need to do this or is it just meant to hide the destination? When still in doubt, cancel the URL.
- When following the instructions on a website, check whether the requirements on your device match those expected. WhatsApp will double check if you want to add a device to the account.
- Double check that the sender is who they claim to be via another contact method.
I have reached out to Meta/WhatsApp for a statement.
