Did you receive a random invite to join a WhatsApp group? Be careful. Russian state-sponsored hackers are using them to trick users into exposing access to their WhatsApp accounts.
The Russian hacking group Callisto, also known as Star Blizzard, was spotted using the tactic in November, according to a new report from Microsoft. Callisto, which the US has linked to Russia’s Federal Security Service (FSB), has been known to use spear-phishing emails to gain access to victims’ online accounts. In the past, this has included impersonating political or diplomatic figures, building up trust, and then sending a phishing email that’ll direct the recipient to a hacker-controlled website that can steal passwords.
According to Microsoft, the group has since pivoted to trying to access WhatsApp accounts, possibly because the FBI has been cracking down on Callisto’s previous hacking activities.
The invites arrive via emails that impersonate US government officials. The apparent goal has been to target users close to Ukraine’s ongoing war with Russia.
(Credit: Microsoft)
“The initial email sent to targets contains a quick response (QR) code purporting to direct users to join a WhatsApp group on ‘the latest non-governmental initiatives aimed at supporting Ukraine NGOs,'” Microsoft says. However, the initial QR code is deliberately broken, likely to coax the target into responding.
If the recipient does reply, Callisto will send a second email containing a link that’ll forward the user to a site dressed up to look like an official WhatsApp page. The same page will display a QR code, and ask the user to scan it using WhatsApp over their phone.
(Credit: Microsoft)
(Credit: Microsoft)
Users might assume doing so will merely give them entry into the WhatsApp group. But in reality, scanning the QR code paves a way for the hacker to access their WhatsApp account because the QR code is part of an official feature for WhatsApp Web, which lets you link your account remotely to a PC.
“This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins,” Microsoft added.
Recommended by Our Editors
The good news is that Callisto has since wound down its campaign targeting WhatsApp, according to Microsoft. Still, the research shows how Russian spies remain tenacious in their efforts to phish potential targets. In Callisto’s case, the group has been targeting known government organizations, think tanks, journalists and politicians.
In the meantime, the Meta-owned WhatsApp said it’s important for users to be careful around its WhatsApp Web feature for device linking.
“If you want to link your WhatsApp account to a companion device, you should only do so by going to WhatsApp’s officially supported services – and not through third-party websites. And no matter which service you’re on, you should only click on links from people you know and trust,” a WhatsApp spokesperson told PCMag.
The app has also published a support document on the feature, which notes that users can see which devices have been linked to their WhatsApp account and log out remotely.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
