The year 2024 has witnessed a surge in novel phishing techniques employed by cybercriminals, targeting various online accounts. From concealed images in emails to persistent attacks on Google Ads users and even phishing-free PayPal scams, the threat landscape has been constantly evolving. Now, WhatsApp users are in the crosshairs, with Microsoft and Malwarebytes issuing warnings about a new “broken link” attack being exploited by a Russian hacking group known as Star Blizzard.
Star Blizzard, previously known for different tactics, has shifted its focus to compromising WhatsApp accounts, marking a significant change in their modus operandi. This shift involves a novel approach using broken QR codes embedded within phishing emails. These emails, often targeting high-value individuals, contain QR codes purportedly linking to WhatsApp group invitations. However, these codes are intentionally broken, leading to an error message when scanned. The attackers then leverage this error to initiate further interaction, ultimately aiming to gain control of the victim’s WhatsApp account.
The attack unfolds in a deceptive manner. Victims, upon encountering the broken link, are likely to notify the sender about the issue. This provides an opening for the attackers to send a seemingly helpful link, often disguised through link-shortening services, which leads to a website containing another QR code. This second QR code, if scanned, grants the attackers access to the victim’s WhatsApp account by adding a device under their control. This subtle yet effective technique bypasses traditional phishing defenses and relies on social engineering to exploit user trust.
While the initial campaign observed by Microsoft appeared to have ceased by the end of November 2023, the threat remains. The possibility of Star Blizzard resuming the attack or other threat actors adopting this technique cannot be dismissed. Moreover, the potential for this attack to target a wider audience of WhatsApp users raises significant concerns. Therefore, understanding and implementing preventative measures are crucial.
Protecting oneself against this type of attack requires vigilance and awareness. Users should exercise caution when encountering QR codes, especially those received via email. Hovering over links before clicking, scrutinizing shortened URLs, verifying sender identity through alternate channels, and carefully examining prompts on devices before granting access are crucial steps in mitigating the risk. Furthermore, understanding how WhatsApp’s device-linking process works can help users identify suspicious activity. WhatsApp explicitly requests confirmation before adding a new device, and any unexpected or unexplained prompts in this regard should raise red flags.
In summary, the broken link QR code attack represents a sophisticated evolution in phishing tactics. It leverages social engineering and exploits the trust users place in QR codes and communication platforms like WhatsApp. While the initial campaign appears to be contained, the potential for this technique to be widely adopted necessitates a proactive and vigilant approach to online security. By understanding the mechanics of this attack and adopting the recommended preventative measures, users can significantly reduce their risk of falling victim to this novel and insidious threat. Constant vigilance, coupled with a healthy dose of skepticism, is crucial in navigating the increasingly complex online threat landscape.
