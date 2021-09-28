Every week new threats appear, new “tricks” that criminals use to steal victims’ data or take over their devices.

Now WhatsApp is once again the protagonist of the story with a message that offers to make backup copies of our messages and send the file by email.

The Spanish Internet User Security Office (OSI) and the Civil Guard they warn of this new threat, since the message received uses the name and the WhatsApp logo, so many may think that it is authentic.

This message does not arrive by WhatsApp, it arrives by email, but the appearance is that of a traditional WhatsApp message. When a user clicks on the link in said email, thinking that he is accessing the backup of his WhatsApp account, he is actually downloading a virus.

In fact, the file attached to this email is an HTML document named “Open_Document_513069.html”. When opened, it directs the user to download a zip file, and inside it is the installer (msi) with the Grandoreiro banking trojan (Win32 / Spy.Grandoreiro.BB).

The target is the users of Spain and Latin America (Mexico and Brazil, mainly).

These Trojans have the ability to detect and deactivate bank protection software, they are specialized in capturing our bank login and password, both in official apps and in online stores. They recover one-time passwords, the kind we receive by SMS, so the risk is great even when we think that with two-step identification we are protected.

To avoid falling into the trap, it is important to identify the signs that an email is not from who it claims to be, and for this we must pay attention to the domain from which it arrives and the links that we are opening (suspicious when it is a bitly shortener, for example).

In case of doubt, you can ask in our telegram group, where we always help to identify this type of action.