Two weeks ago, the Comodo Threat Research Lab discovered a malware campaign aimed at businesses and consumers using the WhatsApp mobile messaging service. That attack used official looking emails masquerading as WhatsApp content.
Now Comodo’s researchers have identified a similar phishing campaign targeting Facebook users, which it believes was created by the same group behind the WhatsApp malware.
The new Facebook campaign tries to represent itself as an email from Facebook which states there is a new message for the recipient.
The subject headings of the emails, which are similar to those used to spread the WhatsApp malware, include:
- A brief vocal e-mail was delivered. sele
- An audio announcement has been delivered! Lucqmc
- An audible warning has been missed. Yqr
- You got a vocal memo! Fcqw
- You recently missed a short audible notice. Rtn
- Ein Videohinweis wurde vermisst! squy (German for "a video note was missed")
Comodo says "Each subject line ends with a set of random characters like 'sele' or 'Yqr'. These are most likely being used to bypass antispam products rather than identify the user".
The malware is in a .zip file, sent as an attachment. Comodo has identified this as a variant of the "Nivdort" malware family.
Commenting on the findings, Fatih Orhan, Director of Technology for Comodo and the Comodo Threat Research Lab said: "In this age of cyberattacks, being exposed to phishing is a destiny for every company, well-known or not. It may not be the most groundbreaking attack method cybercriminals use - but there’s no denying that they’re becoming more clever when crafting their messages. More frequently, they’re using 'too good to be true' promises and action-oriented language in the subject lines to entice recipients to open the emails, click the links or attachments and spread the malware.
"Users should be cautious of any email that requires information or that redirects to a URL Web page - and especially if there is a file download."