Key Points
An on-going phishing campaign was uncovered in early July, targeting WhatsApp users seeking a work visa in the UK. In this campaign, the attackers are masquerading as UK government employees in an attempt to lure the victim to scroll through the message, share it, and then click on the malicious link. If the victim were to click on the link served in the message, they would then be redirected to a malicious website masquerading as a legitimate UK visa and immigration website. The website targets users’ PII by asking for their full name, employment status, marital status, phone number, and email address.
In addition to targeting WhatsApp users, this message also uses the victim to spread the phishing message. The victim is told that they will be given another visa if 15 of their friends are invited. In addition, the attackers ask the victims to share the form with five groups that would receive the same prize. The victims of this shared message are sent to various links that are used to collect the victims personal data.
Looking at the message that is sent to the victim, it appears that the government of the UK sent it out. However, the link in the message does not lead to an official UK government website, and other red flags are evident, such as an incorrect minimum age for a skilled work visa.
Below is the message that was sent to the victim:
UK GOVERNMENT JOB RECRUITMENT 2022: This is open to all Individuals who wants to work in UK, Here is a great chance for you all to work conveniently in the UK. UK needs over 132,000 workers in 2022. Over 186,000 Jobs are Open for applying. THE PROGRAM COVERS: Travel expense. Housing. Accommodation. Medical facilities. Applicant must be 16 years or above. Can speak basic English. BENEFIT OF THE PROGRAM: Instant work permit. Visa application assistance. All nationalities can apply. Open to all individuals and students who want to work and study. Apply here [Fake link]
According to Malwarebytes, the website masquerades as being a legitimate UK Visa and Immigration website. The website asks the victim questions about marital status and employment status and then continues to ask basic questions such as for the victims name, email, and phone number. The attackers could then use this information to potentially commit identity theft or commit further phishing scams.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.