Simple yet malicious, this WhatsApp hack might be recently reported but the modus operandi is not entirely new and there still may be a way to prevent such attacks altogether.
At least three people from Hyderabad over the past week have been a victim of a form of social engineering hack where malicious actors get unauthorised access to a person’s WhatsApp account.
Hyderabad Cyber Crime Police Station station house officer KVM Prasad described this attack while talking to a local Telugu news channel V6. This is how it works —
- The malicious actor signs up on WhatsApp using the victim’s number and then calls them to convince them to give the OTP.
- Once the OTP is given, the actor logs in to the person’s account and enables two-factor authentication. This locks out the owner of the account
- If there are chat backups, the hacker will now have access to it
- The malicious actor then identifies people with whom the person has had the most number of conversations and sends them a malware link
- By clicking on the link, that person’s phone gets infected
- The actor also sends messages to the person’s friends asking for money. The recipients fall for it thinking that their friend is messaging them.
— Economic Offences Wing Cyberabad (@EOWCyberabad) August 18, 2021
“In the last few days alone we have received three cases. Even if its from your friend, don’t click on unknown links on WhatsApp,” Prasad told NTV. We have reached out to Prasad with our queries and will update the post when we receive a response.
Unlike nation-state cyberattacks or attacks exploiting a platform’s vulnerability, social engineering attacks have to do with our susceptibility to such scams and our complacency when it comes to securing our devices.
Similar attacks were recorded earlier
This type of attack where the actor hijacks one’s WhatsApp account is not new. Cybersecurity researchers have earlier recorded similar social engineering attacks where the actor gets access to the OTP of a WhatsApp account and gets access to it. Going by the account of the Hyderabad city police, the only bit that is new would be the manner in which the hacker has gotten access to the OTP.
For instance, a researcher at Cygenta, a UK-based cybersecurity company, was targetted by a similar attack last year. Madeline Howard, the researcher in a blogpost said, “When you download and install WhatsApp on a new device, WhatsApp will then send the mobile number you have entered a 6-digit verification code. This code verifies that you possess the mobile number and device. Once the 6-digit code has been entered that device will then receive WhatsApp messages for that account.”
This is how it works next, according to Howard —
- In order for this attack to work, the attacker will have already compromised an individual’s WhatsApp account (they could have done this via Facebook, not necessarily WhatsApp itself).
- “In this case, the account they had compromised belonged to an old friend,” she said. The attacker then sends a message to the friends of the initial victim stating they have accidentally sent the code to them, or they’re having issues receiving the code.
- “Here you can see that the attacker states they ‘sent’ me the code by mistake. I did receive the 6-digit code via SMS from WhatsApp, making the whole attack seem more plausible. If I had then sent back 6-digit code, the attackers would have successfully compromised my WhatsApp account, too,” she added.
How do you prevent such attacks?
According to WhatsApp, one can set up a two-step verification process which is “an optional feature that adds more security to your WhatsApp account. You’ll see the two-step verification screen after you successfully register your phone number on WhatsApp.”
In this two-step verification, one can enter their email address which will allow WhatsApp to email a reset link in case a person has forgotten their PIN number.
“To help you remember your PIN, WhatsApp will prompt you to periodically enter your PIN. Unfortunately, there isn’t an option to disable this without disabling the two-step verification feature,” The FAQ section of WhatsApp said.
- The fake loan app scandal is not going away anytime soon
- WhatsApp says it won’t delete accounts that don’t accept new terms by May 15
Have something to add? Post your comment and gift someone a MediaNama subscription.