The Comodo Group has recently identified a phishing email campaign that targets potential users of the popular WhatsApp instant messaging client.
The campaign does not affect WhatsApp itself, but it consists of phishing emails that masquerade as legitimate communications from WhatsApp Inc., designed to mislead users into installing a variant of the 'Nivdort' trojan enclosed as an attachment with the .zip extension. Nivdort has the potential to allow attackers to steal personally identifiable information.
The phishing emails claim to be from WhatsApp and include the company's branding, but it is possible for users to determine the authenticity of a suspected message by viewing the sender's address included in the From: field within the message's header. All of the phishing emails are sent with deceptive subjects meant to encourage users into opening them, such as an alert that a user has a new voice notification followed by a set of random characters.
Examples of subjects include:
- You have obtained a voice notification xgod
- An audio memo was missed. Ydkpda
- A brief audio recording has been delivered! Jsvk
- A short vocal recording was obtained npulf
- A sound announcement has been received sqdw
- You have a video announcement. Eom
- A brief video note got delivered. Atjvqw
- You’ve recently got a vocal message. Yop
Users can take measures to protect themselves from a phishing attack by regularly updating their anti-malware software, by verifying the sender of all new email messages, and by not opening attachments from unknown sources.
This is not the first time that attackers have masqueraded as WhatsApp to spread malware. Avira reported in 2013 that attackers were impersonating the messaging client's voicemail feature to target unsuspecting users. In 2014, attackers delivered phishing emails to steal banking information by installing the Zeus trojan horse on victims' machines.
Source: Comodo Group | Phishing attack image courtesy of Shutterstock