Whatsapp users in Armenia targeted by fake update warnings

April 24, 2024

Users of Whatsapp in Armenia are being targeted by a phishing campaign through suspicious iMessage messages. The attack is being carried out through iMessage messages containing a malicious URL that appears to be associated with Whatsapp. These messages urge users to update their Whatsapp application by visiting the malicious URL: hxxps[://]whatsapp[.]com-update@1ii[.]is/UJulZt.

Armenia -- Screenshot of iMessage luring users to false Whatsapp update, Yerevan, 24Apr2024

However, the URL uses a redirection service (redirec[.]fit) to navigate users to a legitimate-looking but malicious website hosted on the WP engine platform.

Armenia -- Redirected.fit service passing on to the WP engine, Yerevan, 24Apr2024

Phishing Website

The phishing website is designed to collect user information, including connection type metadata. It is suspected that the attackers are using this website to inject phishing forms tailored to their current campaign.

Armenia -- The fake Whatsapp update page, which tries to collect user information, Yerevan, 24Apr2024

Targeted Services

Based on the website’s header information, the phishing campaign appears to be targeting the following services:

  1. Whatsapp
  2. Yandex Delivery
  3. Adjarabet
  4. Yandex Music

An analysis of the injected JavaScript and other components on the phishing website did not reveal any signs of spyware or malware presence. However, it is possible that the attackers are primarily focused on collecting user information through phishing forms rather than delivering malware.

Potential Impact

Users who fall for this phishing attack and enter their information on the malicious website risk having their personal data, including login credentials, compromised. This could lead to further exploitation, such as account hijacking, identity theft, or financial fraud.

Recommendations

To protect against this threat, users should:

  1. Be cautious of unsolicited messages, especially those containing suspicious links or prompts to update applications.
  2. Verify the legitimacy of URLs by carefully inspecting the domain name and ensuring it matches the official website of the service in question.
  3. Keep their software and applications up-to-date through official channels and trusted sources.
  4. Use strong and unique passwords for their accounts, and enable two-factor authentication when available.
  5. Report any suspicious messages or phishing attempts to the appropriate authorities or service providers.