A recently-discovered scam was exploiting users via Windows’ WhatsApp desktop client. Tricking them into downloading and opening a seemingly harmless attachment which would lead directly to malware being installed on the system.

How the scam works

The scammers would send an innocent-looking attachment which was actually a script file (a .vbs) that would run on Windows and execute behind the scenes.

This malicious script covered its tracks by making copies of legitimate Windows tools, which are actually geared to download malware while being used. This allowed the bad guys unattended access to the compromised device.

Unsuspecting users were essentially handing the hackers the keys to their house and letting them run wild behind the scenes. The worst part? Since these were based in copied Windows tools, they evaded most automatic virus detection; the tools still performed their real functions all while downloading the malicious content behind the scenes.

How to protect yourself

Of course, even if you’re not a WhatsApp user, most of this same advice is still applicable. If you do benefit from their desktop app, this is by no means us telling you to avoid it going forward. We just want you to be aware and safe on your computer.

Here is what we recommend:

• Don’t open unexpected attachments. If you weren’t expecting it, don’t open it.
• Keep your Antivirus up-to-date. Even though this scam was able to circumvent some aspects of real-time detection, an active scanner still picks up the suspicious activity and notifies you.
• Only download from legitimate sources. Go directly to the source whenever you want to download a file; don’t trust attachments in messages.
• Regularly scan and clean up your computer. This can be done manually with an antivirus program, or you can take advantage of a service (such as iDefend’s Device Security) that includes on-demand computer checkups.

One final tip

If you want another layer of protection and fancy yourself something of an advanced user, something else you can do is configure your file viewer (Windows Explorer) to allow you to see the full file name of everything you download, including the file extension.

This will enable you to see a suspicious file before running it. The two most common extensions you’ll want to look for are: .vbs and .msi. These are both real script file types which are fine in the right context, but shouldn’t be in unexpected downloads or attachments.

Do this by opening Windows Explorer, clicking on View, and turning on View file name extensions.