Russian threat actors continue their spree of cybercrime across the globe, this time switching up their tactics with WhatsApp voicemail phishing attacks.


Aside from the SolarWinds breach in 2020, Russian hackers have also been found to piggyback on cloud service resellers’ access to their customers’ IT systems to disrupt the global technology supply chain and “more easily impersonate an organization's trusted technology partner to gain access to their downstream customers,” said Microsoft

The tech giant has also been publishing research regarding Russian threat actors and their attacks on Ukrainian companies, non-profits, and government organizations.

In one of these latest email phishing scams, WhatsApp is brought into the limelight with a new voicemail phishing attack vector.

Spoofing WhatsApp with Voicemail Phishing Attacks

Researchers have discovered that Russian hackers are, this time, using WhatsApp for a voicemail phishing attack that targets about 28,000 companies and organizations from various industries, particularly, healthcare and retail.

Only, they’re not using the app itself; they’ve spoofed the voicemail to look like it came from WhatsApp.

This sophisticated voicemail phishing campaign is, in reality, four cyberattack types in one:

  1. Social engineering: The hackers carefully crafted an email with a voice note attachment, posing as a trusted brand that people will have no qualms receiving emails from.
  2. Brand impersonation: That trusted brand was WhatsApp, as the hackers crafted the mail and the voice recording to look like it came from WhatsApp.
  3. Exploitation of a legitimate domain: The email sender utilized, a legitimate domain that the Ministry of Internal Affairs in Russia uses.
  4. Business email workflow replication: The email was crafted to replicate how one might receive emails from WhatsApp, enticing victims to click on the ‘Play’ link on the ‘recording’ attached to the email. This brings the users to a webpage that then tries to download the JS/Kryptik trojan horse on their device.

Researchers further reveal that the email “passed all SPF and DMARC authentication checks,” stating the possibility that the hackers had utilized an older or unused variety of the parent domain to pull off the voicemail phishing campaign.

Other forms of WhatsApp phishing tactics that have recently emerged include:

  • 2FA (two-factor authentication) scam. This particular phishing approach involves tricking legitimate WhatsApp users to send the verification code they received after bad actors have compromised their accounts. Bad actors impersonate people from the victim's contacts when they ask for the code, preying on the victim's instinctual trust of people they know or recognize.
  • FOMO (Fear of Missing Out) scam. This WhatsApp phishing tactic is an iteration of the common phishing scam where victims are asked to click on a link, which then activates the malware or virus. The FOMO scam is designed to play on the victims' fear or anxiety about missing out on something important or enjoyable, such as big discounts or free items. Once their fear or anxiety kicks in, victims are motivated to click on the link, which is the desired response of the bad actors.

Latest in a Long Line of Threats

Erich Kron, security awareness advocate at KnowBe4, weighed in on the severity of these latest email phishing scams:

"By using a known and trusted service such as WhatsApp, and by using an email server that passes SPF/DKIM checks, the attackers behind this phishing email are reducing the chance of the message being tagged by spam filters, while improving the chance that the user will engage with the phish.” 

This technique, Kron expounds, allows the message to blend in with (or at least not stand out as much from) the normal email traffic that users receive. Kron adds:

“This type of attack highlights the skill and craftiness of modern attackers who are using phishing emails as their weapon.”

Delving deeper into the topic, we find ourselves asking: If they could do this with WhatsApp, are any other brands and safe?

Potentially, hackers could develop different variations of this attack with any email and mobile chat applications like WhatsApp. And it’s not just Russian threat actors; any competent cybercriminal can spoof business communication companies like Slack, Teams, or Telegram and lure in unsuspecting victims. 

Even service providers like Salesforce are not safe, with news of hackers spoofing Salesforce emails to steal credentials, personal information, and credit card numbers.

Layered Problems Require Layered Solutions

So what should companies do?

First, train employees to recognize these voicemail phishing attacks and social engineering attempts and teach them how to respond/report these threats.

In addition to training employees to recognize the latest email phishing scams, organizations also need to secure their email and chat applications. A cybersecurity solution that leverages machine learning to reduce regulatory and legal risks with consistent policy application and governance for communications is a great help.

Next, security teams need enhanced visibility, so that they may discover and onboard all authorized accounts for protection. Enhanced visibility also enables teams to track new connection requests, inspect messaging for malicious content, and archive all account activity.

Most importantly, find solutions that use natural language understanding and machine learning on social media, mobile chat, collaboration, and email so messages to increase visibility across communication channels to understand context and intent of social engineering attacks.

Learn more about protecting your business from voicemail phishing and other social engineering attacks through this article.

If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.

Explore Security Product