The scam involves hackers sending a ‘Proof of Payment’ document from WeTransfer, but instead sharing a link containing malware. Cybersecurity researchers from Cofense found that hackers distributed a malware called Lampion, using the misleading links.

“The file the targets receive is a ZIP archive containing a VBS (Virtual Basic script) file the victim needs to launch for the attack to begin,” states Metro. “Lampion is a known computer virus, capable of stealing sensitive data, such as banking information and passwords. The Lampion trojan has been around since at least 2019, focusing mainly on Spanish-speaking targets and using compromised servers to host its malicious ZIPs.

“What makes this campaign more dangerous than other, similar, campaigns is the use of a legitimate file transfer service like WeTransfer, making it extremely difficult for email security systems to flag as malicious. The hackers are also abusing Amazon Web Services (AWS) to operate the Lampion malware.”

Comments Jake Moore, global cyber security advisor at ESET: “People need to verify the source of attachments, irrespective of the carrier, and, if they are not expecting it, they should carry out further due diligence. If the attachment received is a zip file, people need to be extra cautious.”