Skip to content ↓ | Skip to navigation ↓

Security researchers have uncovered a WhatsApp phishing email campaign that attackers are using to spread a malware variant of the Nivdort family.

The team at Comodo Labs has published a blog post about the ongoing attack:

“As part of a random phishing campaign, cybercriminals are sending fake emails representing the information as official WhatsApp content to spread malware when the ‘message’ is clicked on,” the team explains.

Comodo Labs notes that the messages are sent from a rogue email address that has been disguised as a legitimate WhatsApp account. Viewing the actual FROM address, however, reveals that the emails are not associated with the popular mobile phone messaging platform.

Ultimately, a user’s smartphone is what defines them in the WhatsApp network, notes Chris Smith of BGR, which means that the company has no reason to send out emails. Additionally, notifications are displayed on a user’s phone screen and are never sent in email form.

Each of the fake emails comes with a subject line that includes a random series of alphabetical characters, strings which Comodo Labs reasons the attackers use for coding purposes.

These subject lines read as follows:

  • You have obtained a voice notification xgod
  • An audio memo was missed. Ydkpda
  • A brief audio recording has been delivered! Jsvk
  • A short vocal recording was obtained npulf
  • A sound announcement has been received sqdw
  • You have a video announcement. Eom
  • A brief video note got delivered. Atjvqw
  • You’ve recently got a vocal message. Yop

“Cybercriminals are becoming more and more like marketers – trying to use creative subject lines to have unsuspecting emails be clicked and opened to spread malware,” said Fatih Orhan, Director of Technology for Comodo and the Comodo Antispam Labs in a statement shared by Express.

All of the emails contain a compressed (zip) file as an attachment. When opened, Nivdort is executed and installed onto the machine, at which point it replicates into different system folders.

comodo labs whatsapp nivdort
Source: Comodo Labs

News of this attack campaign comes at the same time that a fake WhatsApp update is targeting Android users.

Most users will remain “largely unaffected” by this threat, however, as long as they install apps and upgrades from legitimate app stores.

“Users who are most at risk are those looking to download apps from the less regulated third-party markets which are very prevalent in some parts of the world,” Craig Young, security researcher at Tripwire, told MailOnline.

To learn more about how you can protect yourself against the types of phishing emails observed in this latest campaign, please click here.