Internet users are advised to be on the lookout for emails purporting to originate from Vodafone. Recipients are tricked into believing that they’ve received an MMS message.
“You have received a picture message from mobile phone number +447503087109. To save this picture, please save attached file,” the emails, entitled “You have received a new message,” read.
The attached file – which at first glance appears to be an innocent archive – actually contains an executable named “Vodafone_MMS.jpg.exe.”
For users who haven’t configured their operating system to show file extensions, this might look like a legitimate image file.
In reality, it’s a piece of malware that’s currently detected by just over half of the vendors from VirusTotal.
Variants of this Trojan, identified by Kaspersky as Trojan-Downloader.Win32.Andromeda.coh, have previously been spread with the aid of fake Facebook emails which informed recipients that their friends added a new photo to one of their albums.
The clever thing about these malicious emails, as The H Security highlights, is that they’re not designed to target users from only one country.
When they’re sent to users from the United Kingdom, they appear to come from email@example.com and the mobile phone number of the sender starts with the +44 country code.
On the other hand, when users from Germany are targeted, the sender’s email address is firstname.lastname@example.org and their phone number starts with +49.
This tactic, combined with the fact that the message itself is properly designed, ensures that many unsuspecting users will believe it’s legitimate and download the attached file.
Fortunately, the piece of malware served in this case is currently identified by a fairly large number of security products. However, when it was first identified by The H Security, only 8 of 44 antivirus engines detected it.
Considering that a brand new piece of malware can be attached to this email at any time, internauts are advised to be extra careful when coming across such notifications.