The cybercrime use the whishing to spread scams using WhatsApp as a vector

After the phishing, cybercrime creates the whishing to steal victim informations and spread malware. It has been discovered by cybersecurity expert Matt Body of Sophos. The new term, whishing, means “WhatsApp phishing”. He explain how it works on a post on Naked Security and on a video. “I received a WhatsApp message on Friday that piqued my interest. 2 free tickets on Virgin Atlantic – he stated -. According to the message, Virgin Atlantic was giving away two free tickets per family in celebration of its 35th anniversary. It sounded far too good to be true and, as any regular reader of Naked Security can tell you, that means it probably IS far too good to be true. I took a closer look. A much closer look. The URL looks legit, like it must belong to Virgin Atlantic, right? Wrong”. He took a closer look and zoom in on the ‘r’ in ‘Virgin’, discovering that something was not how supposed to be.

What Matt Body discovered about this new kind of cyber scam

So, Body forwarded the message on to an his WhatsApp alias on a test android mobile device (freshly wiped with no mobile security installed) and “fell” for the cyber scam by clicking on the link. As the post reported, “the page opens in your phone’s browser and, if you’re eagle-eyed enough, you can see that something’s phishy immediately. This is what the domain viṛginatlantic.com looks like in a Chrome address bar: www(dot)xn--viginatlantic-jm1g(dot)com. The xn-- at the beginning of the domain tells the browser that the domain name is encoded using punycode – a way of representing thousands of different exotic characters like Ṛ using only the Roman letters A to Z, the digits 0 to 9 and the hyphen (-) character. WhatsApp interprets the punycode and shows the internationalised version of the domain, but Chrome does not. The page itself is a four-question survey about your previous experiences, and a little PII (Personally Identifiable Information) – your age”.

To make the deception more trustable, the cybercrime publishes a collection of fake Facebook comments

As Body discovered, the cyber scam attempts to lend itself some legitimacy with Virgin Atlantic branding and a collection of fake Facebook comments. If a victim fills the survey, it’s asked to share the WhatsApp message with 20 friends or groups using a handy button. Then, the target of cybercrime is led to a separate website, that tells him “you’re just one step away” and asks for more personal information. The Sophos cybersecurity expert noted also that, “although the scam is in English, the code is full of comments like <!– Button zum Teilen –>. That suggest it was created by a German speaker” malicious hacker.

The Body’s post on Naked Security

The video on the whishing