017. Star Blizzard and Stolen WhatsApp accounts

Hello everyone! Yesterday Microsoft Threat Intelligence team shared some information on Star Blizzard's campaign targeting WhatsApp accounts. 

So, the adversary sends a phishing email a quick response (QR) code purporting to direct users to join a WhatsApp group:

An example of phishing email


But the QR code is not valid, so if the victim responds with an email, the threat actors send another message, this time with a link, which leads to a phishing page with instructions how to "join the group". The QR code on the page allows the adversary to connect an account to a linked device and/or the WhatsApp Web portal, and exfiltrate messages.

Here are the indicators of compromise presented by Microsoft:

civilstructgeo[.]org

aerofluidthermo[.]org

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!