PwC’s Dark Lab investigates the local WhatsApp account hijacking attacks, uncovering multiple campaigns targeting Hong Kong and Macau consumers.
Clik here to view.
Over the last few months, the community has seen a surge in attacks against individuals’ collaboration and communication applications that offers the use of mobile devices as a means of authentication. By taking over accounts on such platforms through means such as phishing, threat actors can easily gain access to personal or event-sensitive information shared across such platforms or carry out attempts to defraud legitimate business partners or contacts of individuals.
In this two-part series, we showcase two classic Adversary-in-the-Middle (AiTM) campaigns targeting Hong Kong-based victims. This blog piece provides a technical analysis and actionable steps to protect yourself against the ongoing campaign leveraging the Evil QR toolkit to hijack WhatsApp accounts locally.
Stay tuned for part two, as we share our incident response experience with a multi-stage AiTM phishing and business email compromise (BEC) attack weaponizing Evilginx and EvilProxy, leading to our discovery of the wide-scale, opportunistic campaign.
WhatsApp QR Code Hijacking Targets Hong Kong and Macau Consumers
In October 2023, we observed multiple reports of WhatsApp account hijacking cases impacting Hong Kong- and Macau-based victims. Upon successful account takeover, malicious actors have been observed to impersonate the owners of the compromised WhatsApp accounts, contacting the victim’s WhatsApp contacts to request fund transfers under the guise of their trusted relationship. Breaking down the attack, we observe that the Evil QR tool was deployed to facilitate the WhatsApp account takeovers, targeting unsuspecting victim.
Understanding how Evil QR works
Evil QR, first reported in July 2023, is a browser extension that enables attackers to exploit legitimate QR codes to intercept and steal their cookie session, providing access to the victim’s account.[1]
How Evil QR operates[2]:
- The attacker open the legitimate WhatsApp Web login page (https://web.whatsapp.com/).
- The attacker enables the Evil QR browser extension, which extracts the legitimate QR code from WhatsApp Web and proxies it to the Evil QR server, which hosts the attacker’s phishing page.
- The attacker’s phishing page dynamically displays the latest QR code extracted from the WhatsApp Web login page.
- When the unsuspecting victim visits the phishing page impersonating WhatsApp Web login and scans the QR code, the attacker successfully obtains access to the victim’s WhatsApp account.
- Due to proxying, the victim will be unaware of the existence of these sessions, unless they manually check their WhatsApp settings (Settings > Linked Devices).
Clik here to view.
Figure 1: Attack path for WhatsApp account takeover using Evil QR
Weaponization of Evil QR by malicious actors
Due to the relatively simple setup of the QR code and phishing site using Evil QR, it is a highly lucrative and incentivising means for attackers to obtain access to sensitive information and perform malicious activities, as reflected in the recent surge of attacks against collaboration and communication applications.
We observe search results on Google, which indicate dedicated efforts to promote phishing sites impersonating WhatsApp to defraud unsuspecting victims. Search engine optimisation (SEO) poisoning is a technique commonly deployed by threat actors to improve the ranking of their malicious websites on search engine result pages.[3]
To improve the SEO ranking of their phishing site and deceive unsuspecting visitors of their ‘legitimacy’, threat actors may deploy an array of techniques, such as keyword stuffing, whereby threat actors overload their phishing sites with keywords in a repetitive manner to manipulate search engine rankings to assess their website has relevant content. Another common technique is typosquatting, whereby threat actors capitalise on human error by registering domains with variations of potential spelling errors, that could accidentally be typed (“typo”) by unsuspecting users (e.g. watsap web). Further, attackers commonly abuse sponsored listings and advertisements to direct users to their phishing sites.
Image may be NSFW.
Clik here to view.
Figure 2: Search results for the typo ‘watsapp web’
Referencing the first sponsored search result, ws6.whmejjp[.]com, we observe the domain to be actively impersonating the WhatsApp Web login webpage.
Clik here to view.
Figure 3: Screenshot of ws6.whmejjp[.]com as of 19 October 2023
Pivoting on structurally similar websites, we observe the host IP (2a06:98c1:3121:[:]3) hosting over 10,000 domains with a similar HTML structure. Based on the newly registered domains associated with the host IP, we observed multiple typosquatted domains targeting users of various gaming and communications platforms, such as Twitch, Steam, Valorant, and Telegram.
Referencing public reports of the ongoing attacks against Hong Kong consumers[4], we pivoted on the waacad[.]cyou domain which continues to display a WhatsApp Web login page.
Clik here to view.
Figure 4: Screenshot of waacad[.]cyou as of 19 October 2023
Analysing the host IP (103.71.152[.]102) for waacad[.]cyou, we observe it to be serving 14 newly registered domains within the last month starting from 22 September 2023. The domains were observed follow a similar domain naming convention, all displaying an identical WhatsApp Web phishing page.
Clik here to view.
Figure 5: Newly registered domains hosted by 103.71.152[.]102 [5]
Through further investigation of 103.71.152[.]102, we observed multiple domains created between 27 August and 1 September 2023, which appear to impersonate Sands casino. Based on observations that 103.71.152[.]102 and multiple of its hosted domains have been flagged as malicious for phishing, consistent naming conventions, contents of the WhatsApp Web phishing pages written in Chinese, and the ongoing suspected phishing campaign impersonating Sands, we assess with high confidence that the threat actor is conducted an ongoing, targeted phishing campaign against Hong Kong and Macau citizens.
Potential impact upon successful WhatsApp account takeover
Upon a successful WhatsApp account takeover, the attacker has full access to the user’s conversations and contact list. In the ongoing campaign targeting Hong Kong users, we observe the primary goal to be victim impersonation to request fund transfers from unsuspecting people who would typically trust the victim, including family, loved ones, and friends.
Clik here to view.
Figure 6: Sample of fraudulent fund transfer request via WhatsApp
Further, attackers may scan the victim’s conversation for sensitive information, such as personally identifiable information (“PII”) and shared passwords, depending on what sensitive information has been disclosed by the individual to other parties. In addition, the attacker could further leverage the account to send phishing links (“smishing”) to the victim’s contacts, to perform additional credential theft activities.
Conclusion
PwC’s Dark Lab observes that Hong Kong and Macau are being actively targeted by multiple opportunistic phishing campaigns. We strongly encourage citizens to exercise caution and awareness when interacting with untrusted sources. Refer to our recommendations below for general best practices and advice on how to detect and respond to a potential WhatsApp account takeover.
We continue to observe the cyber threat landscape evolve, with threat actors increasingly shift towards identity-based attacks not only weaponizing passwords, but sessions to maintain persistent access to compromised accounts. Stay tuned for part two, as we share key learnings from a recent incident response case involving a multi-stage AiTM phishing and business email compromise (BEC) attack.
Join us on November 7 2023 for PwC’s annual Hack A Day Conference: Register Here
Recommendations
How to detect if you are visiting a phishing website impersonating WhatsApp Web:
- When searching for “WhatsApp Web” or any other website, avoid sponsored links and double check before clicking on a link for any spelling errors which could indicate it is a typosquatted (phishing) domain.
- When visiting the website, while the website may appear similar to the legitimate domain, look out for the slight differences.
For example, if we compare the legitimate WhatsApp Web domain (web.whatsapp.com) with the malicious domain (waacad[.]cyou), we notice four (4) differentiators:
- If you were to check the URL of the phishing page, you would immediately notice it is suspicious and unlikely to be the actual WhatsApp login page.
- On the legitimate webpage, the WhatsApp logo and name exists, which is not observed on the malicious page.
- The instruction wordings differ.
- The legitimate webpage has a ‘Tutorial’ section with advice on ‘how to get started’. It should be noted that whilst this phishing domain does not display this section, other more convincing phishing sites could include this section to further deceive you into trusting their phishing site is legitimate.
Clik here to view.
How to check and respond if you suspect your WhatsApp account has been compromised:
1. Check and log out any unauthorised devices:
- In WhatsApp, check if any unauthorised devices are logged in (Settings > Linked Devices).
- For any suspicious or unknown logins, tap the device to log out. This will remove their access to your account.
2. Perform additional checks to identify any potential activities performed by the malicious actor during their access to your account:
- Check archived messages to see if any conversations were archived by the malicious actor.
- Check if any messages have been sent or deleted in the chat without your knowledge.
- Check if any voice recordings or files were shared to your contacts.
3. Inform any of your contacts if they have been contacted by the malicious actor.
Whether your contact unknowingly sent money or not, it is important to notify them that they were communicating with the malicious actor and not you so they can remain aware and exercise caution when receiving unusual or suspicious messages from you or other contacts.
General Best Practices
Visiting websites:
- Check links before clicking to validate their legitimacy (e.g. spelling errors) and always remain wary of the legitimacy of webpages and their branding.
- Access websites via the global webpage as opposed to the URL shortened link if in doubt.
- If you accidentally visit a phishing site,
- Do not click on any links and double check your device to see if any files were downloaded.
- If any files were downloaded, do not open it. Delete the file immediately and clear your recycling bin.
- If you believe you may have fallen victim to a phishing attack,
- Monitor your email’s “sent” folder to identify any unauthorised emails that have been issued from your account. If any, alert the receiver as well as your wider contact list that you may have fallen victim to a phishing attack, so they can be on alert that incoming messages from your account may not be legitimate.
- Perform a password reset, enable multi-factor authentication (MFA), and report the suspected phishing activity immediately to your credit card issuers (and organisation if accessed the site through your work device) to monitor and restrict potentially suspicious activity.
Communication platforms:
- If you have received a suspicious or unusual message from your contact requesting funds or sensitive information, exercise caution to determine if the request is legitimate. Potential signs that your contact has been compromised could include:
- Unusual nature of the request – e.g. your contact asking you to urgently send money
- Deviating from their normal typing or speaking pattern – if their message does not sound like them – it might not be them!
- Often times, malicious actors use artificial intelligence (“AI”) to generate messages, which may sound robotic or unnatural in nature. For voice messages, malicious actors may alter the AI-generated message (e.g. speeding it up or adding background noise) to attempt to make the voice message seem less robotic.
- Do not disclose sensitive information via WhatsApp or other communication channels. Whilst these channels may be encrypted, we continue to observe malicious actors attempting to perform account takeovers, granting them with full access to compromised users’ accounts.
MITRE ATT&CK TTPs Leveraged
We include the observed MITRE ATT&CK tactics and techniques from the campaign:
- T1583.001 – Acquire Infrastructure: Domains
- T1583.008 – Malvertising
- T1586 – Compromise Accounts
- T1608.006 – Stage Capabilities: SEO Poisoning
- T1566 – Phishing
- T1189 – Drive-by Compromise
Indicators of Compromise (IoCs)
| IOC | Type |
clooe[.]cyou | WhatsApp phishing site |
kkgee[.]icu | WhatsApp phishing site |
waacad[.]cyou | WhatsApp phishing site |
www[.]waacad[.]cyou | WhatsApp phishing site |
clooeapp[.]cyou | WhatsApp phishing site |
kkgegroup[.]icu | WhatsApp phishing site |
bbhes[.]cyou | WhatsApp phishing site |
gooe8[.]cyou | WhatsApp phishing site |
xxeez[.]icu | WhatsApp phishing site |
gooer[.]icu | WhatsApp phishing site |
waacad[.]icu | WhatsApp phishing site |
weeae[.]icu | WhatsApp phishing site |
weeaet[.]cyou | WhatsApp phishing site |
wyyadinc[.]icu | WhatsApp phishing site |
bbyaysc[.]cyou | WhatsApp phishing site |
5565m[.]vip | Potential Sands phishing site – not flagged malicious |
5565k[.]vip | Potential Sands phishing site – not flagged malicious |
5565v[.]vip | Potential Sands phishing site – not flagged malicious |
5565f[.]vip | Potential Sands phishing site – not flagged malicious |
5565t[.]vip | Potential Sands phishing site – not flagged malicious |
5565z[.]vip | Potential Sands phishing site – not flagged malicious |
5565c[.]vip | Potential Sands phishing site – not flagged malicious |
5565r[.]vip | Potential Sands phishing site – not flagged malicious |
5565i[.]vip | Potential Sands phishing site – not flagged malicious |
5565a[.]vip | Potential Sands phishing site – not flagged malicious |
5565p[.]vip | Potential Sands phishing site – not flagged malicious |
5565w[.]vip | Potential Sands phishing site – not flagged malicious |
5565g[.]vip | Potential Sands phishing site – not flagged malicious |
5565u[.]vip | Potential Sands phishing site – not flagged malicious |
5565e[.]vip | Potential Sands phishing site – not flagged malicious |
5565l[.]vip | Potential Sands phishing site – not flagged malicious |
5565d[.]vip | Potential Sands phishing site – not flagged malicious |
5565s[.]vip | Potential Sands phishing site – not flagged malicious |
5565j[.]vip | Potential Sands phishing site – not flagged malicious |
5565q[.]vip | Potential Sands phishing site – not flagged malicious |
5565x[.]vip | Potential Sands phishing site – not flagged malicious |
5565h[.]vip | Potential Sands phishing site – not flagged malicious |
5565o[.]vip | Potential Sands phishing site – not flagged malicious |
ws6.whmejj[.]com | WhatsApp phishing site |
dxweb.whasatcp[.]life | WhatsApp phishing site |
uaa.whxmcwd.top | WhatsApp phishing site |
103.71.152[.]102 | IP Address |
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.