What is up with the app?
Cybercriminals who take advantage of people through social engineering techniques are now prowling within WhatsApp. Noticeably these threat actors are largely targeting Middle Eastern countries using company logos, and preset messages to lure victims in giving out crucial information.
What are the styles of messages?
From fake lottery winners up to fake central bank notifications, yes you can name it all as long as it can catch attention and bait unsuspecting users into giving out information.
Phishing attempts will always use redirection to an external URL, some appears to be ingenious and others are just rip off of log in pages to extract data from victims and send it to the attacker. Of course the redirection pages are more effective when optimized to appear on mobile phones.
SSL on Redirects
Free SSL certificates are being handed down which makes it a tool for phishing actors to take advantage of. This would make it appear to seem legitimate and trustworthy. Making it more “secure-proof”. On top of the perception that this is secure, a landing pagec an be made social proof by integrating comments and testimonials which are fake to deceive the victims which increases the chance of the phishing attack to succeed. Rip off of Facebook comments and other social media sites.
After a victim fills out a form, there are instances that you have to agree to share your contacts to the programmed form, once the bait is taken the same phishing messages will be redistributed to a WhatsApp contact list. Making the process repetitive as long as there are victims.
What to do
In an age of GDPR implementation, individuals and corporations cannot afford to break the law just because of social engineered attacks made them do so. Therefore risks should be mitigated by educating and informing mobile app users.
Corporate information such as credentials may be passed off through unintended give away of personal data.
Remember that every loss data, or leaked data is the responsibility of the corporations and not solely of the individual.
It is encouraged that security teams should learn and employ mobile security techniques, and implement technology that both detects phishing attacks real-time, and also keep people from accessing malicious sites.