Last weekend I was targeted with a WhatsApp attack. This attack is simple for cyber criminals to carry out, and unless you’re aware of the key indicators there is a high chance you'd fall for it.
Since the start of the pandemic, WhatsApp usage has rocketed globally by more than 40%. Cyber criminals follow the numbers, the more popular a technology or app is, the more criminals will target it. This WhatsApp attack shows us that social engineering is not just about phishing emails, as we have also been reminded with the recent Twitter hack. One of the key indicators of a social engineering attack can be how the message makes you feel. When you receive a message or communication that you are not expecting and it triggers an emotional response, it is something to be wary of. In this case, the WhatsApp attack relies on individuals trusting a friend who needs some help. Below is the message I received, not only have they placed a sense of urgency on me, making me feel rushed, but the attackers have also used emojis to help normalise the message.
When explaining this attack to a friend their first response was 'But hackers don't use emojis, do they?'. This is the response the attackers want you to have, so it's important to remember, attackers do use emojis and anything else that makes them seem more legitimate. 😘
How this attack works
When you download and install WhatsApp on a new device, WhatsApp will then send the mobile number you have entered a 6-digit verification code. This code verifies that you possess the mobile number and device. Once the 6-digit code has been entered that device will then receive WhatsApp messages for that account.
In order for this attack to work, the attacker will have already compromised an individual’s WhatsApp account (they could have done this via Facebook, not necessarily WhatsApp itself). In this case, the account they had compromised belonged to an old friend. The attacker then sends a message to the friends (me) of the initial victim stating they have accidentally sent the code to them, or they’re having issues receiving the code. Here you can see that the attacker states they 'sent' me the code by mistake. I did receive the 6-digit code via SMS from WhatsApp, making the whole attack seem more plausible. If I had then sent back 6-digit code, the attackers would have successfully compromised my WhatsApp account, too.
We still don't know if the fact the account was changed to a business account was part of the attack. If you have any thoughts on this, please get in touch.
What the attackers are trying to achieve with this attack
Once the attackers have access to your WhatsApp account, they cannot see old messages, but do have access to all of your WhatsApp contacts and groups AND will receive any new messages sent to your account. From here the attackers can message your contacts posing as you and may ask friends and family for money for an emergency or lock the account and ask friends for money in order to unlock it. Simple, yet effective for the attackers!
Our top tips for protecting yourself against this WhatsApp phish
Never send a 6-digit verification code to anyone, for any accounts. For all accounts this code relates to your phone and shouldn’t be shared
Enable ‘Two-Step Verification’ in WhatsApp, this can be found under settings > account. This ‘Two-Step Verification’ enables a 6-digit pin for your account which you will have to enter when you set up WhatsApp on a new device and also every so often whilst using WhatsApp. WhatsApp states ‘when you have two-step verification enabled, any attempt to verify your phone number on WhatsApp must be accompanied by the six-digit PIN that you created using this feature’
If you receive a communication that you’re not expecting (whether by Whatsapp, email, phone call, SMS message or any other way) that is asking you to do something and makes you feel emotional (rushed, happy, panicked, embarrassed or anything else), be aware this could be social engineering
What to do if your WhatsApp is compromised
Reinstall WhatsApp and get a new verification code (this can take some time)
Step up the 6-digit pin on your account
It is worth changing your Facebook password, as Facebook owns WhatsApp and your Facebook account could have been compromised before your WhatsApp
*2022 update*
To learn about the latest WhatsApp scams and how to avoid them, check out Dr Jessica Barker's YouTube video:
I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…
A great hacker is really worthy of good recommendation , Henry really help to get all the evidence i needed against my husband and and i was able to confront him with this details from this great hacker to get an amazing service done with the help ,he is good with what he does and the charges are affordable, I think all I owe him is publicity for a great work done via, Henryclarkethicalhacker@gmail.com, and you can text, call him on whatsapp him on +12014305865, or +12197960574,
Beware of scammers i have been scammed 3 times because i was trying to know if my husband was cheating until i met this hacker named; (wizardcyprushacker@gmail.com) who helped me hack into my spouse phone for real this great hacker hacked into my spouse whats-app messages,Facebook messages.text messages,call logs,deleted text messages,bitcoin recovery and bank transfer hack,clear criminals records,and many more i was impressed with his job and he brought me results under 24 hours believe me he is real and his services are cheap and affordable.
I have to be honest i recommend Samurai for Any hacking Jobs to y’all. I found him on a page and I am happy to announce that my request has been fulfilled. His an expert, you can get to him through whats-app +1 804 704 6313.