Every week, new threats emerge, new “tricks” that criminals use to steal victims’ data or take over their devices.
Now WhatsApp is the protagonist of the story again with a message that offers to make backup copies of our messages and send the file by email.
The Spanish Office for Internet Safety (OSI) and the Civil Guard they warn against this new threat, since the received message uses the WhatsApp name and logo, many may think it is genuine.
This message does not arrive by WhatsApp, it arrives by email, but the appearance is that of a traditional WhatsApp message. When a user clicks on the link in said email, thinking they are accessing their WhatsApp account backup, they are actually downloading a virus.
In fact, the file attached to this email is an HTML document named “Open_Document_513069.html”. When opened, it asks the user to download a zip file, and inside is the installer (msi) with the Grandoreiro banking trojan (Win32 / Spy.Grandoreiro.BB).
The target is users from Spain and Latin America (mainly Mexico and Brazil).
These Trojans have the ability to detect and disable banking protection software, they are specialized in capturing our bank ID and password, both in official applications and in online stores. They collect one-time passwords, the kind we receive via text message, so the risk is great even when we think that with two-step identification we are protected.
To avoid falling into the trap, it is important to identify the signs that an email does not come from who it claims to be, and for this you have to pay attention to the domain from which it comes and the links that you opens (suspicious when it’s a bit shorter, for example).
If in doubt, you can ask in our Telegram Group, where we always help identify this type of action.