Hackers used fake WhatsApp version to trick iPhone users
Shafaq News/ A fake version of WhatsApp for iOS was used to trick iPhone users into installing a certain configuration file on their devices that would allow threat actors to collect sensitive information, including - but not limited to - the Unique Device Identifier (UDID) as well as the International Mobile Equipment Identity (IMEI). According to cybersecurity-help.
A research from experts at University of Toronto's Citizen Lab and Motherboard has linked the fake WhatsApp version to an Italian surveillance company Cy4Gate, which offers a number of products designed for cyber intelligence purposes, including DSINT, HYDRA, Epeius, Gens.AI and Igea.
Last week, the security company ZecOps said in a tweet that it had detected attacks against WhatsApp users. In a message the company shared a specific domain (config5-dati[.]com) and an IP address it said was related to the attacks.
Digging deeper, the Citizen Lab researchers uncovered several domains linked to config5-dati[.]com, including one that hosted a phishing page to download WhatsApp. This site was masqueraded as official WhatsApp site, with WhatsApp branding and professional graphics laying out the installation process step-by-step. However, in reality, it attempted to trick iPhone users into downloading a configuration file that would collect information about users and sent it to the attacker.
In addition, Motherboard discovered several similarly named domains that shared an encryption certificate with config5-dati[.]com.
It is not clear what other data the hacker would have been able to steal from compromised devices.
The assumption of the Cy4Gate's involvement was made based on the fact that one of the domains that at one point shared an IP address with the config5-dati[.]com domain was registered "cy4gate srl", and that an encryption certificate for an IP address associated with domain, which displayed the WhatsApp phishing page, mentioned "epeius."
Motherboard found mentions of Epeius in certificates connected to IP addresses pointing to more of the config domains too. The Citizen Lab researchers also found that the config-1dati[.]com domain at some point returned a login page with a Cy4gate logo and the name Epeius.
When contacted by Motherboard, a Cy4gate spokesperson said that the config domains identified by Citizen Lab researchers are not attributable to the company, however, the check3[.]it domain belonged to the company.
