Hackers Exploit WhatsApp In New Phishing Campaign

A Russian hacking group, Star Blizzard, has been targeting WhatsApp accounts for compromise, Microsoft Threat Intelligence reported on January 16. This marks a shift in the group’s tactics, with Microsoft noting it as the first instance of Star Blizzard adopting a new access vector, diverging from their established methods.

In November 2024, Microsoft Threat Intelligence detected a significant shift in the tactics of “Star Blizzard,” a Russian hacking group known for targeting government officials, diplomats, and NGOs.

The group introduced a new phishing method, using WhatsApp as an access point, marking a departure from their traditional strategies. The attack began with a spear-phishing email impersonating a U.S. government official.

It invited targets to join a WhatsApp group purportedly focused on supporting Ukrainian NGOs. The email included a QR code, claimed to link users to the group, but deliberately malfunctioned to prompt recipients to respond.

Once the targets replied, they received another email with a shortened URL that led to a fraudulent webpage resembling WhatsApp’s legitimate site.

Here, victims were asked to scan a QR code to join the group. Instead, this code granted the hackers access to victims’ WhatsApp accounts by exploiting the platform’s account linking system. Using browser plugins, Star Blizzard could exfiltrate sensitive messages.

Star Blizzard, previously known for targeting journalists and civil society organizations, adapted to operational disruptions. Since 2023, the group has employed spear-phishing campaigns to steal information and disrupt activities, as noted on the Microsoft report.

Microsoft and the U.S. Department of Justice took down over 180 phishing domains linked to the group in October 2024. Despite these efforts, the hackers quickly transitioned to new domains and methods.

This recent campaign, which concluded by late November, underscores the group’s persistence and adaptability. It also highlights the evolving cybersecurity challenges organizations face.

To mitigate such risks, Microsoft advises using tools like Defender for Endpoint, enabling anti-phishing measures, tamper protection, and real-time cloud-delivered antivirus updates. Organizations should also train employees to recognize phishing attempts, particularly those involving links or QR codes.

For enhanced security, experts recommend verifying suspicious emails by contacting the sender through trusted channels and using safe browsing practices.

This incident reinforces the importance of proactive cybersecurity measures as threat actors develop new ways to breach defenses, turning even commonly used tools like WhatsApp into potential attack vectors.