WhatsApp is the most ubiquitous messaging smartphone app across the globe boasting a user base of around 2.7 billion users, which is a staggering amount. The ease and user-friendly interface of the app has made it the preferred option for quick and easy messaging worldwide. Unfortunately, this massive user base also makes it a prime target for cybercriminals eager to compromise WhatsApp accounts, knowing the many victims they can gain access to. In this article, we talk about WhatsApp account takeover scams and how to protect against them.
How WhatsApp Account Takeover scams work
WhatsApp Account takeover scams typically occur when a scammer gains access to a WhatsApp number. Impersonating the victim, the attacker messages the person’s contacts and asks them to send him a six-digit code that he has “accidentally” sent them. In reality, this scammer is trying to log in with your WhatsApp number and socially engineer you into handing over your two-factor verification so he can take over your account. The code was generated when the scammer attempted to log in using your phone number.
Despite the obvious red flag, most people can easily fall victim to this scam because the messages come from a trusted contact. Once they share the code, the attacker can take over their WhatsApp number and lock them out. The attack then continues onward with the new compromised account and spreads, allowing the attacker to increase the impact of this scam.
Action Fraud, the UK’s national fraud and cybercrime reporting center; has reported over 60 cases that have fallen victim to this scam. This attack is not just restricted to this technique, as a recent blog by Malwarebytes Labs showed. In a new variation of this attack, scammers can also take over your account by taking advantage of a person’s unavailability and how WhatsApp verifies user’s identities
The attack follows the below pattern:
- The scammer attempts to log in to the victim’s WhatsApp account
- During the verification process, WhatsApp sends a PIN via text message to the phone number associated with the user’s account.
- If the person cannot respond ( due to sleep, travel, etc. ), the attacker can move on to the next step.
- The scammer contacts WhatsApp, informs them that the verification SMS was not received, and requests a phone call verification.
- As the victim is still unavailable, the call gets redirected to their voicemail.
- The attacker uses the last four digits of the victim’s mobile number, which often serves as the default voicemail PIN, and gains access to their voicemail and the WhatsApp verification code.
- They can now take over the WhatsApp account and lock the victim out of their account.
Once the account has been taken over, the attacker can use it to spread malware or even extort the victim to give access back to their account. The continuing evolution of this attack shows that attackers are aware of the potential of WhatsApp as a platform for fraud and will continue to adapt to new security controls.
How to prevent yourself from becoming a victim of this fraud
WhatsApp Account Takeover attacks are unique as attackers are aware of the two-factor authentication in place and actively trying to circumvent it via social engineering. This should not discourage people from enabling two-factor as a control however, due to the extra security it provides.
In addition, users should make sure to follow these tips to protect their accounts from this dangerous scam:
- Be extra skeptical of strange requests from your WhatsApp contacts, and do not rush to take action. Call the person to verify if it is them making the request.
- Do not share your Code with anyone in any circumstances. Any message requesting you to share the code is a red flag, even if it comes from your closest friends.
- Report any contacts you feel may have been compromised to WhatsApp so they can take action. This also stops the attacker from continuing to other contacts who may not be so security aware!
- Provide an email address for verification purposes for resting your two-factor code. This can prevent attackers from using the voicemail technique.
- Continually update your app to apply the latest security fixes and patches.
Any popular app becomes a target of scams and cyber attacks once cybercriminals see the value of compromising it. The growing number of account takeover scams means that users cannot afford to be complacent when using WhatsApp and must remain vigilant against suspicious messages.
WhatsApp has become a massive part of our personal and professional lives, and becoming a victim of an account takeover can be traumatic. These attacks underscore the need for users to be aware of such frauds and keep themselves and their close contacts updated. Given the interconnected nature of our digital lives, a single person being compromised in these scams can result in a chain reaction of further victims. Awareness is key to protecting yourself and your friends from WhatsApp account takeovers.
Frequently Asked Questions
What are WhatsApp Account Takeover scams?
WhatsApp Account Takeover scams occur when an attacker impersonates a user, accesses their WhatsApp account, and then tries to trick their contacts into revealing their two-factor verification codes, enabling the attacker to hijack their accounts. These scams leverage trust and social engineering to perpetrate fraud.
How do these scams typically work?
Scammers initiate the attack by trying to log in to the victim’s WhatsApp account. If the victim cannot respond, the attacker can request a phone call verification, which gets redirected to the victim’s voicemail. Knowing the default voicemail PIN (usually the last four digits of the phone number), the scammer accesses the voicemail and the WhatsApp verification code.
What can attackers do once they’ve taken over a WhatsApp account?
After gaining control of a WhatsApp account, the attacker can hijack the statements of the victim’s contacts, spread malware, or even extort the victim for access to their account. The attack can thus spread exponentially and cause substantial harm.
How can I protect my WhatsApp account from such scams?
To protect your account, enable two-factor authentication and never share your Activation Code with anyone. Always be skeptical of strange requests, even if they seem to come from trusted contacts. Update your app regularly to ensure you have the latest security fixes and patches. Lastly, provide an email address for verification purposes to prevent attackers from using the voicemail technique.