A highly complex cyberattack involving phishing emails containing photos taken by NASA's James Webb Space Telescope has been detected by cybersecurity firm Securonix and can potentially result in some serious online safety issues.

As such, we're going to take a look at what exactly this cyberattack is, how to spot it, and how to stay safe from the hackers behind it. Just remember that if you need support or someone to talk to, our Sonder support team is available 24/7 to chat whenever you need it.


What is this James Webb Space Telescope cyberattack?

This cyberattack is a sophisticated malware campaign titled 'GO#WEBBFUSCATOR' and involves a phishing email containing a Microsoft Office attachment being sent out to unsuspecting victims. The attack is so complex that it is unable to be detected by antivirus software and is therefore more likely to appear in users' inbox rather than their spam or junk folder.

The cyberattack begins with the victim being sent a phishing email containing a Microsoft Office attachment named "Geos-Rates.docx”, which will download a template file onto the victim's device without their knowledge when opened.

Once this template file is downloaded, it auto-executes a VBS macro that downloads a JPG image onto the victim's device if said device has enabled macros on it. When opened, the image is of the galaxy cluster SMACS 0723, captured by the James Webb Space Telescope. However, the image also contains a malicious piece of code that will give hackers the ability to spy or remotely take control of the victim's device.

In short, this cyberattack can be summed up as: Phishing email containing suspicious document gets sent out, document downloads an image of the galaxy cluster SMACS 0723 containing malicious when opened (and the device has macros enabled), and hackers will be able to spy or take control of your device after the image is opened thanks to some malicious code hidden in said image.

What to do when you spot this scam and how to stay safe

If you get sent a suspicious email, whether it's part of the 'GO#WEBBFUSCATOR' malware campaign or other phishing attempts, from an address you don't recognise, the first thing is to not open it. Delete the email right away.

There are a number of telltale signs when identifying phishing attacks, including:

  1. Creating a sense of urgency seeking you to do something.

    1. Usually a phishing email is unexpected so that you don’t have time to think about it or how to react.

  2. Asking you to click a link, open an attachment or sending you to a website asking you to enter personal information.

  3. Containing a link that suggests it will take you to a legitimate website, but it shows a different website when you hover over the link.

  4. Asking for information that the real or legitimate sender wouldn't necessarily know.

In order to stay safe and protect against phishing attacks, there are a number of precautions you can take:

  • Learn about online security

  • Use spam filters or secure email getaways to block deceptive emails

  • Enable multi-factor authentication for logins

  • Watch out for fake links and/or attachments

  • Don't provide any information to unverified sources or suspicious individuals

  • If you receive a phishing email, report it to Scamwatch.

Related reading:


If you have any questions or need extra support, we're here to help you anytime in any language. Simply start a chat with us via the home screen of the Sonder app.

Information sourced from: Securonix, Digital Trends, Bleeping Computer, and OVIC

Image credit: R&B Duncan at Flickr

All content in Sonder's Help Centre is created and published for informational purposes only. It is not intended to be a substitute for professional advice.

Did this answer your question?