Microsoft has detailed how the Russian hacker group, Star Blizzard, targeted very influential people like politicians to steal their WhatsApp data right up until the end of November. We all know we have to be on the lookout for malicious actors trying to trick us, but Star Blizzard came up with a fairly elaborate scheme to gain access to WhatsApp accounts.
In the attacks, Star Blizzard began by sending their targets an email while impersonating a US government official to gain credibility. In an example shown by Microsoft, the first email doesn't include any malicious links, instead it invites current or former government or diplomacy staff to join a group about the latest non-governmental initiatives at supporting Ukraine.
After a brief explainer of the fictitious group, Star Blizzard invites the target to join using a fake QR code which doesn't lead anywhere. This is actually a hook as part of the phishing scam to get a response from the target, it also tells the hackers that the target hasn't written the email off as an attack yet.
Once the target has responded to Star Blizzard letting them know that the provided QR code didn't work, Star Blizzard responds with another email containing a hyperlink to a website that impersonates a WhatsApp join group page. At this point, the URL that the target has been taken to should raise flags, if the target is paying attention. According to Microsoft, the now-taken-down webpage had a URL totally unrelated to WhatsApp.
The page claimed to give instructions on how to join the group, but actually provided instructions on how to link your device via a QR code. If the target didn't notice this, after scanning this QR code, the hackers have gained access to the target's WhatsApp data. Obviously, this attack yields very powerful results for Star Blizzard, who would have gained sensitive political information that could potentially affect US national security.
To prevent attacks like this, Microsoft says that if the email is coming from someone you know, then you should contact them on a known email address to ask if they really sent the messages. It also helps to take your time and check out things like URLs, and stop doing what is being asked of you if anything seems suspicious.
3 Comments - Add comment