This simple yet malicious WhatsApp hack may have been reported recently, but the modus operandi is not brand new and there could still be a way to prevent such attacks completely.
At least three people from Hyderabad have been the victims of a form of social engineering hack in the past week in which malicious actors gain unauthorized access to a person’s WhatsApp account.
KVM Prasad, the Hyderabad Cyber Crime Police Station house officer, described this attack while speaking to a local Telugu news channel V6. Thats how it works –
- The malicious actor logs into WhatsApp with the victim’s number and then calls them to convince them to give the OTP.
- Once the OTP is provided, the actor logs into the person’s account and enables two-factor authentication. This will block the owner of the account
- If there are chat backups, the hacker now has access to them
- The malicious actor then identifies the people with whom the person has had the most conversations and sends them a malware link
- Clicking the link will infect that person’s phone
- The actor also sends messages to the person’s friends asking for money. Recipients fall for it because they think their friend is sending them a message.
– Cyberabad White Collar Crime Wing (@EOWCyberabad) August 18, 2021
“We have received three cases in the past few days alone. Even if it’s from your friend, don’t click any unfamiliar links on WhatsApp, ”Prasad told NTV. We have reached out to Prasad with our questions and will update the post when we receive an answer.
Unlike nation-state cyber attacks or attacks that exploit a platform’s vulnerabilities, social engineering attacks have to do with our vulnerability to such scams and our complacency in protecting our devices.
Similar attacks were recorded earlier
This type of attack in which the actor hijacks his WhatsApp account is not new. Cyber security researchers have previously recorded similar social engineering attacks in which the actor gains access to and access to the OTP of a WhatsApp account. According to the Hyderabad City Police report, the only thing new is the way the hacker gained access to the OTP.
For example a researcher at Cygenta, a UK cybersecurity company, was hit by a similar attack last year. Madeline Howard, the researcher, said in a blog post, “When you download WhatsApp and install it on a new device, WhatsApp sends a 6-digit verification code to the cell phone number you entered. This code confirms that you have the mobile number and the device. As soon as the 6-digit code has been entered, this device will receive WhatsApp messages for this account. “
This is how it works next, according to Howard –
- For this attack to work, the attacker must have already compromised someone’s WhatsApp account (this could have done this through Facebook, not necessarily through WhatsApp itself).
- “In this case, the account they compromised belonged to an old friend,” she said. The attacker then sends a message to the friends of the first victim stating that he accidentally sent them the code or that he is having trouble receiving the code.
- “Here you can see that the attacker claims to have ‘sent’ the code to me by mistake. I received the 6-digit code via SMS from WhatsApp, which makes the whole attack seem more plausible. If I had then sent back a 6-digit code, the attackers would have successfully compromised my WhatsApp account, ”she added.
How do you prevent such attacks?
According to WhatsApp you can a. set up two-step verification process This is “an optional feature that will make your WhatsApp account more secure. You will see the two-stage confirmation screen after you have successfully registered your phone number on WhatsApp. “
This two-step verification allows you to enter your email address, which allows WhatsApp to email a reset link in case someone has forgotten their PIN number.
“So that you can remember your PIN, WhatsApp regularly asks you to enter your PIN. Unfortunately, there is no way to deactivate this without deactivating the two-stage verification function, ”says WhatsApp’s FAQ section.
Do you have anything to add? Post your comment and give someone a MediaNama as a gift subscription.