Last weekend I was targeted with a WhatsApp attack. This attack is simple for cyber criminals to carry out, and unless you’re aware of the key indicators there is a high chance you'd fall for it.

Since the start of the pandemic, WhatsApp usage has rocketed globally by more than 40%. Cyber criminals follow the numbers, the more popular a technology or app is, the more criminals will target it. This WhatsApp attack shows us that social engineering is not just about phishing emails, as we have also been reminded with the recent Twitter hack. One of the key indicators of a social engineering attack can be how the message makes you feel. When you receive a message or communication that you are not expecting and it triggers an emotional response, it is something to be wary of. In this case, the WhatsApp attack relies on individuals trusting a friend who needs some help.

Below is the message I received, not only have they placed a sense of urgency on me, making me feel rushed, but the attackers have also used emojis to help normalise the message.

When explaining this attack to a friend their first response was 'But hackers don't use emojis, do they?'. This is the response the attackers want you to have, so it's important to remember, attackers do use emojis and anything else that makes them seem more legitimate. 😘

WhatsApp phishing message

How this attack works

When you download and install WhatsApp on a new device, WhatsApp will then send the mobile number you have entered a 6-digit verification code. This code verifies that you possess the mobile number and device. Once the 6-digit code has been entered that device will then receive WhatsApp messages for that account.

In order for this attack to work, the attacker will have already compromised an individual’s WhatsApp account (they could have done this via Facebook, not neccessarily WhatsApp itself). In this case, the account they had compromised belonged to an old friend. The attacker then sends a message to the friends (me) of the initial victim stating they have accidentally sent the code to them, or they’re having issues receiving the code. Here you can see that the attacker states they 'sent' me the code by mistake. I did receive the 6-digit code via SMS from Whatsapp, making the whole attack seem more plausible. If I had then sent back 6-digit code, the attackers would have successfully compromised my WhatsApp account, too.

We still don't know if the fact the account was changed to a business account was part of the attack. If you have any thoughts on this, please get in touch.

What the attackers are trying to achieve with this attack

Once the attackers have access to your WhatsApp account, they cannot see old messages, but do have access to all of your WhatsApp contacts and groups AND will receive any new messages sent to your account. From here the attackers can message your contacts posing as you and may ask friends and family for money for an emergency or lock the account and ask friends for money in order to unlock it. Simple, yet effective for the attackers!

Our top tips for protecting yourself against this WhatsApp phish

  • Never send a 6-digit verification code to anyone, for any accounts. For all accounts this code relates to your phone and shouldn’t be shared
  • Enable ‘Two-Step Verification’ in WhatsApp, this can be found under settings > account. This ‘Two-Step Verification’ enables a 6-digit pin for your account which you will have to enter when you set up WhatsApp on a new device and also every so often whilst using WhatsApp. WhatsApp states ‘when you have two-step verification enabled, any attempt to verify your phone number on WhatsApp must be accompanied by the six-digit PIN that you created using this feature’
  • If you receive a communication that you’re not expecting (whether by Whatsapp, email, phone call, SMS message or any other way) that is asking you to do something and makes you feel emotional (rushed, happy, panicked, embarrassed or anything else), be aware this could be social engineering

What to do if your WhatsApp is compromised

  • Reinstall WhatsApp and get a new verification code (this can take some time)
  • Step up the 6-digit pin on your account
  • It is worth changing your Facebook password, as Facebook owns WhatsApp and your Facebook account could have been compromised before your WhatsApp
  • Set up two-factor authentication on Faceboook