Upon seeing the URL of the tricking site, Motherboard found multiple clusters of domains associated with the publicly shared link. Some variations of the original URL were also discovered. One of them was config1-dati[.]com that appeared to be a phishing page tricking individuals to install the fake version of WhatsApp. It looked legitimate, with WhatsApp branding and professional graphics, and provided instructions to the users on how to install a configuration file on the iPhone to get the fake version installed.
Citizen Lab researcher Bill Marczak noted that the configuration file provided by the phishing page was allowing the attacker to send device details including the UDID
and IMEI to a server. The researchers, however, didn't find what other data the file
could have provided from the user device.
There was no clear reference of whether the fake version of WhatsApp was linked
with Cy4Gate that works with law agencies and the government in Italy. However,
a set of domains was found that at one point shared an IP address with the config5
-dati[.]com domain. That set brought notice to another set of domains that
followed similar conventions, and one of them was registered to “cy4gate srl.” This suggested the linkage with the Italian surveillance company
A WhatsApp spokesperson assured action against the fake version. “We strongly
oppose abuse from spyware companies, regardless of their clientele. Modifying
WhatsApp to harm others violates our terms of service. We have and will continue
to take action against such abuse, including in court,” the spokesperson said, as
quoted by Motherboard.
“To help keep chats safe, we recommend that people download WhatsApp from the
app store for their phone's platform. In addition, we may temporarily ban people
using modified WhatsApp clients we detect to help encourage people to download
WhatsApp from an authoritative source,” the spokesperson added.
No comments:
Post a Comment