The Russian hacking group known as Star Blizzard has been targeting WhatsApp accounts in a new spear-phishing campaign. Microsoft has identified a shift in the group’s tactics to leverage a new access vector involving broken-link QR codes. The QR codes are sent in phishing emails to high-value victims, claiming to invite the user to join a WhatsApp group.
However, the QR codes are designed to be broken, prompting the recipient to respond. This gives the hackers an opportunity to send another link, often obscured through link-shortening services, which directs the user to a site containing another QR code.
Targeted phishing with fake QR codes
When scanned, this QR code adds a device controlled by the attackers to the user’s WhatsApp account. Microsoft and Malwarebytes have issued warnings and advice to mitigate such attacks. They recommend:
– Hovering over links to check the URL before clicking
– Scrutinizing shortened URLs and using a service to unshorten them if in doubt
– Verifying that any prompts or actions on the website match what is expected
– Double-checking the sender’s identity through another contact method before taking action
A WhatsApp spokesperson emphasized that users should only link their accounts through WhatsApp’s official services and avoid third-party websites.
“We’re always working to make WhatsApp the safest place for private, personal communication, which is why we protect your personal conversations with end-to-end encryption,” the spokesperson said. While the original Star Blizzard attack campaign appeared to have ended in late November, the threat remains as other actors may adopt similar tactics to target a broader audience. Users are advised to remain vigilant and follow recommended security practices to protect their accounts.
