Every now and then, we receive or see reports of what new shenanigan has hit users of the ever-popular mobile application, WhatsApp.

Not so long ago, users in the UK were warned about a scam making rounds about Sainsbury’s giving away £100-worth gift cards as part of their purported “network expansion”. And just days on the heels of a special announcement, online criminals have swooped in to take advantage of the much-awaited video-calling feature for WhatsApp by rolling out fake message invites, falsely claiming that they need to visit a specific URL to enable this feature—when in fact, all users have to do is to update the app.

If these aren’t enough to keep WhatsApp users up on their toes all the time, they also have some privacy concerns to cope with.

Recently, we received a report from one of our readers on Facebook regarding another criminal-driven campaign targeting WhatsApp users. It comes in the form of a phishing email, which our reader forwarded for us to look into. Below is a screenshot of the said spam:

whatsapp-phishing-mail

From: {fake WhatsApp email address}
To: {random}
Subject: Billing Alert - Services Suspended
Message body:

Billing Alert - Services Suspended 


Dear WhatsApp User


Services Suspended

Act immediately to Restore your Services.

It is imperative that you act immediately to restore your services.

Log in at https://store.whatsapp.com/ to update your payment details.

It only takes a few minutes to update your payment details, or choose to pay for
your services by PayPal if you prefer.

We wish to give you every opportunity to provide payment for your services and hope
that prompt action on your part will resolve the situation.

Please do not reply to this email. It is an automatically generated notification,
sent from an unmonitored address.


Sincerely


The Customer Support Team

WhatssApp


Terms and Conditions: https://web. whatsapp.com/

The above is a phishing email that attempts to get users to click the purported URL, https://store.whatsapp.com/, but leads to the destination, gnphysiotherapy[DOT]com/js/coollinkdaa. This is a redirector site that eventually leads to sigmarchitects[DOT]com, which has been compromised to host the phish for this campaign. Below are a series of screenshots taken during testing:

This slideshow requires JavaScript.

In the first screenshot, the phish asks for personally identifiable information (PII)—such as name, date of birth, and billing address—card details—such as card number, expiration date, and verification code—and bank details—such as account number and sort code.

In the second screenshot, the phish asks for the user’s “Visa password”.

The last screenshot shows the final destination of the phish, which is a legitimate WhatsApp page, after users enter the said password and click the “Submit” button.

We were able to retrieve the phishing kit used in this campaign and took a look at the code of its PHP pages. From what we’ve gathered, below are the most notable ones:

  • The name of the kit used to create this phish is called “WhatsApp Phisher”.
  • It targets English, Dutch, and French speaking users of WhatsApp.
  • It sends phished data to three certain email accounts, specifically for @gmail.com, @netcourrier.com, and @mail.ru.

Since the beginning of 2016, WhatsApp has stopped charging their users for subscription fees. So, if ever you receive an email that may appear similar to what we have featured above, best to simply delete it from your inbox.

There is news that WhatsApp is currently testing a new feature that allows users to playback shared videos while they are being downloaded in the background. Take note and be wary as well as this might be used by scammers to bait users into offering them something in exchange for (1) their information, (2) answering a set of survey questions (which gives back a certain monetary value to scammers), or (3) willing downloading a (more often than not dodgy) file onto their mobile or computing devices.

Stay safe out there!

Jovi Umawing (Thanks to Steven)