Star Blizzard: WhatsApp account takeover through phishing campaign

Microsoft has observed new methods of a criminal organization that the company runs as “Star Blizzard”. The Russian cybercriminals originally targeted journalists and non-governmental organizations (NGOs), for example. Most recently, they attempted to take over WhatsApp accounts with a phishing campaign.

Microsoft describes details of the spear phishing campaign in a blog post. First of all, Star Blizzard proceeded as already known: They make initial contact with victims via emails to engage them in correspondence before sending a second message with a malicious link. The sender addresses in this campaign mimic those of US government officials – a well-known scam to impersonate well-known political or diplomatic figures.

Lure: Broken QR code

The initial email contains a QR code inviting the recipient to join a WhatsApp group with the topic “the latest non-governmental organizations with the aim of supporting Ukrainian NGOs”. However, the QR code is broken and does not direct potential victims to a valid domain, which is intended to trick recipients into replying to the sender.

If victims send a reply, Star Blizzard sends a second email with a link shortened by t[.]ly as an alleged alternative to joining the WhatsApp group. After clicking on the link, a web page opens that prompts the user to scan a QR code to finally join the group. However, the QR code is a code used by WhatsApp to link an account to a device or the WhatsApp web portal.

If a victim follows the instructions, the cybercriminals can gain access to the messages in their WhatsApp account and leak this data using known browser plug-ins that were built precisely to fulfill this purpose with WhatsApp web portal access. This is how the attackers get into the victims' accounts.

Microsoft explains that this was a limited campaign at the end of last November, but it marked a change in the Star Blizzard group's approach. Microsoft advises users to remain vigilant when receiving emails, especially if they contain links to external resources. People from governments and diplomacy, research on defense policy or international relations are usually targeted if they are related to Russia, as well as those who support Ukraine in its fight against Russia. If in doubt, the person from whom the email is supposed to originate should be contacted via a known or previously used email address, and it should be verified that the email originates from them.

Last October, US law enforcement, in cooperation with Microsoft, succeeded in striking a blow against the criminal gang. Since then, more than 180 of the group's websites have been taken offline. Star Blizzard was already trying to obtain access data with phishing campaigns back then.

(dmk)