According to the Venture Capital Post, Facebook messaging tool WhatsApp now boasts over 900 million users and projects to hit 1 billion in the near future. While it’s not a huge money-maker for Facebook just yet — it’s charging just $1 per year in North America and Europe, and the app is available for free in developing countries — the service is nonetheless a popular target for cybercriminals.

As noted by SC Magazine, the newest attack vector leverages virtual business cards, or vCards. When opened on the Web version of the app, users could be exposed to a host of malware risks.

Above Board?

Kasif Dekel, a researcher for Check Point Security, which first found the new vulnerability, said all it takes for an attacker to compromise a victim’s computer is the right mobile phone number and a single vCard. Once opened in the WhatsApp Web service, hidden executable files in the vCard are activated, allowing attackers to install anything from ransomware to remote access tools (RATs), bots or Trojans.

Compounding the problem is the prevalence of vCards and the fact that many seem above board on the surface. What’s more, obtaining a user’s phone number often takes little more than a quick Internet search — and once a new vCard arrives, most users are willing to take a look since they often believe their number isn’t available for public viewing.

The app itself doesn’t help matters because it automatically syncs users’ mobile devices and desktop computers to provide a unified experience — meaning that even if users typically avoid their desktop, they’ll get a vCard notification and may be tempted to log on and check out the message, in turn exposing their system to malware. And with approximately 200 million WhatsApp users leveraging the Web portal on a regular basis, this malware threat comes with a significant attack surface.

The Issue With Doing Everything

Facebook’s purchase of WhatsApp certainly seems to be paying off. Users love the service, and the company has a built-in revenue model if and when they choose to use it. But the service suffers from the same problem as many others of similar nature: trying to do everything, all at once, for interested users.

While synchronization across devices and the ability to view images, videos, audio files, locations and contact cards is attractive for users, this kind of smorgasbord represents massive opportunity for cybercriminals. If users can be convinced to download one malicious file or open one seemingly legitimate business card, it’s possible to infect entire systems without victims even knowing they’ve been compromised.

Fortunately, WhatsApp has been quick to respond. While all versions before 0.1.4481 are still vulnerable, the company issued a temporary mitigation against this vCard vulnerability for Web clients and already has a more permanent fix in the works. Of course, the onus for updating remains with the user — the sooner the better to ensure protection against this kind of exploit.

Messaging apps are prime targets for attackers since they offer big user basis and a low bar to entry. Stopping cybercriminal trash talk demands a combination of app developer speed and user commitment to securing their own devices.

More from

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read