Who’s heard of WhatsApp? Phishers, that’s who!

No one else I know, until Facebook announced they would buy them.

I don’t have the WhatsApp app or an account either, so I immediately classified the phishing message below as spam. However, it is a great example of how criminals will use current events in attempts to get their phishing messages looking legitimate.

Screenshot of the WhatsApp phishing message I got in my inbox today.
Screenshot of the WhatsApp phishing message I got in my inbox today.

The “Autoplay” link goes to a PHP file on an Argentinian domain (acquavendingarg dot com.ar), a possibly legitimate web site although it currently has an “under construction” message on it. More than likely, the web site was compromised with malware that does nothing good.

The e-mail sender was sinatsik1967 at fredericks dot com, which was spoofed because SPF lookup failed. The sending client’s IP originated in Thailand. Most likely, the computer that sent the message is part of a botnet and not the actual attacker’s computer. The originating SMTP server was ns11.hostinglotus.net.

With all these red flags (failed SPF lookup and originating in Thailand), I wonder why the Office 365 spam filters didn’t catch it?

P.S.: This message was sent to an e-mail alias I only use to do business with Ticketmaster… You can draw your own conclusions about how spammers got their hands on that alias.

UPDATE: According to an article on techhelplist.com, this is a pharma scam. So no malware apparently. Still, I wouldn’t buy anything off those sites.

by Sven Aelterman.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s