URL trick generates WhatsApp, Signal and iMessage phishing – Research Snipers

A trick has been known for years that cybercriminals can use to abuse popular messaging services such as WhatsApp, Signal or iMessage for phishing purposes. The people behind it may use URLs that look legitimate, for example from apple.com or google.com. This comes from a report by Bleeping Computer Online Magazine. Some of the underlying vulnerabilities have been known since 2019 and put users of the most popular messaging and messaging platforms such as Instagram, iMessage, WhatsApp, Signal and Facebook Messenger at risk.

Things are refreshing now that a proof of concept has emerged. WhatsApp, Instagram & Co infographic: How young people prefer to communicate Display bug allows threat actors to create legitimate-looking phishing messages and use them to find victims en masse.

Apparently Trusted Domains

When an RTLO character is inserted into a string, a browser or email application displays the string right-to-left instead of its normal left-to-right orientation. This character is mainly used to indicate messages in Arabic or Hebrew. In this way, trusted domains for phishing attacks can be faked in messages and make them appear as legitimate and trusted subdomains of apple.com or google.com. The following CVEs have been assigned to the vulnerabilities and are known to work in the following versions of IM applications:

  • CVE-2020-20093 – Facebook Messenger 227.0 or earlier on iOS and or earlier on Android
  • CVE-2020-20094 – Instagram 106.0 or earlier for iOS and or earlier on Android
  • CVE-2020-20095 – iMessage 14.3 or earlier for iOS
  • CVE-2020-20096 – WhatsApp 2.19.80 or earlier on iOS and 2.19.222 or earlier on Android

A proof of concept was recently published on Github. The vulnerabilities may have been actively exploited for a long time.

Phishing, malware, impersonation

After the injected RTLO control character, the URL is reversed because it is treated as a “right-to-left” language (Arabic, Hebrew, etc.), which the threat actor then just has to match with its target domain to successfully hide. For example, a fake URL “gepj.xyz” would appear as a harmless JPEG image file “zyx.jpeg”, while a fake URL “kpa.li” would appear as an APK file “li.apk”, etc. behind the Many URLs can then be masked, which makes spoofing very difficult to detect.

Brian is the news writer at Research Snipers which primarily covers tech news, Microsoft News, Google News, Facebook, Apple, Huawei, Xiaomi and other tech news.

Comments are closed.