The latest roundtable discussion from Security on Screen analyses WhatsApp’s recent scam regarding a hijacked verification code text – how often will the Facebook-owned app let history repeat itself?

UK police are warning WhatsApp users about the current risk of scammers hijacking their accounts. According to reports, the scam involves a seemingly innocent message from a saved contact when it is in fact a hacker posing in order to gain account access. Once they’re in, the hacker is then liable to use the account to launch further attacks on others with the attempt of gaining money or personal data.

Southwark Police indicated that the circulating scam is related to a WhatsApp verification code, tweeting: “We have seen a surge in WhatsApp accounts being hacked. If you are sent a text from WhatsApp with a code on it, don’t share the code with ANYONE no matter who’s asking, or the reason why.”

The reports conclude that the hacker is able to pose as a friend who claims they’ve accidentally sent a request for a WhatsApp verification code to be sent to that number and ultimately request it to be sent over to them. This six-digit code is only given when a user is trying to make changes to their account and should not be shared with anyone as this code allows the hacker instant access to private messages and an abundance of contact details.

“This is a long-going scam,” confirms Martin Jartelius, CSO at Outpost24. “It is also used, for example, to trick codes out of users with the purpose of confirming subscriptions or purchases, where a verification is sent to the phone number of a user. It is hard to be cautious all the time, but essentially if ever in doubt, call your friend and find out what it’s about, and do not send codes on.

“There have also been frauds where this has been used to trick users to share codes from authenticator applications, by for example stating that the friend has lost their authenticator and needs to borrow their friends to log in.

“Sadly, this is nothing new when it comes to fraud.”

Basic access

Security Engineer at Lookout, Burak Agca notes that this incident exemplifies how a threat actor doesn’t have to be an advanced cybercriminal to manipulate a scam such as this. “The bar to entry is very low now as pre-build phishing kits and malware are available for as little as a few dollars online,” he continues. “Your contacts represent a significant part of your digital footprint and exposure. Think about how many people you communicate with every day using WhatsApp. Over the years through all your conversations, there could be significant amounts of sensitive information shared amongst friends and colleagues alike.

“Names, locations, pictures, addresses, contact numbers are the obvious ones, but how many times have you sent a credit card number or username and password over WhatsApp? The attacker is counting on users’ lack of hygiene within WhatsApp to be able to harvest vast amounts of personally identifiable information (PII), compromise your account and continue on to the next person in your address book.

“We have seen the reporting qualifying over 10 billion credentials have been made freely available on the internet this year alone/ The 100GB ‘RockYou2021’ TXT file leaked 8.4 billion to a dark web forum. The personal data of over 530 million Facebook users was posted in a low-level hacking forum and 700 million accounts have just been released up for sale on RaidForums by a hacker calling himself ‘GOD User TomLiner.’ That is before a single reported breach by companies is accounted for. With that, attackers now have an almost limitless pool of users to after.”

A similar repeat

Back in May 2019, a zero-day vulnerability was found in WhatsApp’s messaging platform, exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns. The lawsuit alleges that NSO Group developed the surveillance code and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices and the case still continues as the courts push to reveal its methods for compromising the messaging service’s infrastructure and targeting individuals with nation-state-backed surveillance-ware. 

“The continuous re-emergence of this forwarding scam from within the app isn’t very surprising,” Agca continues. “If you consider the increased volume of cybercrime, attackers will inevitably reuse previously successful tactics and campaigns. Facebook will be challenged once again to keep customer confidence as it battles a series of press stories and court cases that bring into question the continuous exploitation of vulnerabilities in its app and signalling services, its data handling, and security practices.”

Staying alert

The obvious advice for WhatsApp users is to remain vigilant during this time. Javvad Malik, Security Awareness Advocate at KnowBe4, suggests: “If a friend makes an unusual request, they should try to contact them outside of WhatsApp to determine if the request is genuine or not. Similarly, secure login codes or MFA codes sent via text or in the app should never be shared with anyone.”

He continues to say, “organisations should also ensure staff are provided appropriate security awareness about the risks that can manifest through social media and chat applications and ensure any suspicious activity is reported.”

Agca concludes: “Individuals and enterprises alike can’t rely on WhatsApp saying its messaging is encrypted to keep sensitive data safe. More needs to be done both by the consumer and by WhatsApp itself to ensure a truly secure experience within the app. WhatsApp users can be proactive and download a mobile security solution that reduces the risk of falling victim to WhatsApp scams – especially ones that try to phish your credentials or quietly install malware.”