Distributed with
Thinkstock WhatsApp


WhatsApp users targeted by new malware campaign

Users of popular multi-platform messaging service WhatsApp are being targeted by a new malware attack through a widespread phishing campaign.

Thinkstock WhatsApp

WhatsApp users are being targeted in an attack distributing a malware variant capable of collecting sensitive information, security researchers at the Comodo Antispam Labs (CASL) team have found.

The attackers behind the malware campaign are using the tried-and-tested phishing tactic of emailing consumers from an address presenting the information as official email from WhatsApp by appropriating the service’s branding.

“This is a fairly commonplace attack in many respects,” Huntsman Security’s head of product management Piers Wilson told Business Reporter. “The thing that is different is that a vast number of people use WhatsApp.”

Referring to emails purporting to come from different banks, Wilson said attackers are transitioning away from targeting specific banks towards platforms used by more people, such as messaging services like WhatsApp and its 700 million active users.

“This type of phishing attack, this traditional scam, is something which I suspect is increasingly going to be delivered by other messaging channels – it’s not an attack method that we’re going to see going away,” said Wilson.

The emails are being sent using multiple subject lines, such as ‘you have obtained a voice notification’, ‘an audio memo was missed’ and ‘a brief video note got delivered’.

This is followed by a set of random character such as ‘Ydkpda’ that researchers believe are used to encode data to identify recipients.

“Cyber criminals are becoming more and more like marketers – trying to use creative subject lines to have unsuspecting emails be clicked and opened to spread malware,” said Fatih Orhan, CASL’s director of technology.

Researchers discovered these emails all contained compressed .zip files as attachments, which claimed to hold the user’s message but actually hosted variants of the Nivdort malware strain.

Nivdort first surfaced in 2013, evading detection by anti-virus applications at first, and was used to collect information such as IP and email addresses, most visited sites and payment card data.

Once opened on the user’s device, Nivdort can replicate itself into different system folders and add itself to auto-run on a computer’s registry.

Despite not making many appearances since 2013, Wilson reminds users that it is “not uncommon for viruses to adapt, evolve and mutate over time”, making it just as potentially dangerous as it was in 2013.

Wilson warned that while the WhatsApp phishing campaign could be used to defraud individuals, it also poses a significant risk to companies with the potential to flood entire networks with malware.

“If it’s an issue consumers have on their personal devices, then only they are affected.

“It’s more of a challenge in a business environment, where if one computer gets infected with malware then the entire corporate network can be exposed.

“The risk for organisations is still very much there.”

Full details of the malware campaign can be found on the CASL blog.

TEISS banner