WHATSAPP brand targeted by threat actors

On November 24, 2022, the security researcher from OSINTAFRICA has detected many phishing attacks mimicking WhatsApp brand.

WhatsApp is a freeware platform used to send and receive text, voice messages, make voice and video calls, and share images, documents, user locations, and other content. The application is owned by American company Meta Platforms.

The application is used by more than 2 billion of users around the globe.

The name associated to the threat actors is unknown. The domains identified are created a few days ago.

The threat actors are using different locations such as US, SINGAPORE, Hong Kong to avoid detection and target user from those locations as well.

Apart from using different location, the threat actors used also CDN Cloudflare to hide their location and hide the services they use to target the users.

From the details we collected and analyzed, we can assume that the intention of the threat actors is to steal users’ credentials and trick the users by installing a malicious software which look like WhatsApp.

Let’s explain the findings in detail:

On the screen below, we can see the image is quite similar to WhatsApp, and it has been classified as Malicious by Google safe browsing. The IP address 2606:4700:3037::ac43:d2ab is located in US and belongs to CLOUDFLARENET, US.

We can also observe some words writing in Chinese which could indicate that the threat actors might be targeting users from China.

gotas.evoluir.sbs – urlscan.io

Virus total detected as a phishing website

VirusTotal – URL – c424a393c09b3c1007258c95aef074d555395af61bda0e02fa68a4abc8ba773b

Another example is whatssap7[.]com

We can see that the IP address is located in US and belongs to TERAEXCH US.

 

https://urlscan.io/result/b7490a37-9c92-4020-8cde-abedee990831/

We decided to connect to Securitytrails to find more information related to the domain. 

We found the following information.

Two domains detected by Securitytrails. The second domain – download.whatssap7[.]com, the malicious domain contains downloading version of the application for Android, Windows and MacBook.

https://securitytrails.com/list/apex_domain/whatssap7.com

Two domains were found. The second one download.whatssap7[.]com a malicious WhatsApp package to download

https://urlscan.io/result/ae426881-2e77-412f-a27a-8ec5b956dfa2/

 

Unfortunately, we could not download the file 

Our last example will be the domain whatqsapp[.]com

https://urlscan.io/result/4f6be6c4-be69-4e24-9618-08605b541c95/

Another domain located in the US.

From Riskiq, we found many subdomains mimicking WhatsApp using the IP address 172.247.175.66.

 

Its not the first time WhatsApp is being targeted. Many users complained in the past about loosing their credential and the phishing attack is the most used technic to achieve the goal.

This issue is quite interesting as WhatsApp is used by many users; some measures should be taken to avoid the users connecting to the malicious websites.

In order to reduce this situation, 3 mains advice need to be followed.

Advice:

Use only WhatsApp.com for downloading the application and connecting

Use 2FA to protect your account

Take down all the domains (should be done by the WhatsApp corporation team)

Domains mimicking WhatsApp

whatssapp8[[.]]com

whatsaaapp[.]com

whataswappapp[.]com

whatsakpp[.]com

whatmsapp[.]com

whatszaapp[.]com                                    

whaxsapp[.]com

www[.]whatscaapp[.]com

www[.]whatszaapp[.]com

www[.]whatstaapp[.]com

whatscaapp[.]com

whatstaapp[.]com

whatqsapp[.]com             

whatsaypp[.]com  

whatmsapp[.]com

www[.]whatmsapp[.]com          

www[.]whatqsapp[.]com

www[.]whhatapp[.]com 

whatsalpp[.]com                           

whatsabpp[.]com 

whatskapp[.]com  

www[.]whatsalpp[.]com

whatuapp[.]com

whlatapp[.]com

www[.]whatskapp[.]com

ww[.]whatsaypp[.]com

whaotapp[.]com