WhatsApp Messenger, or simply WhatsApp, is an American freeware program owned by Facebook, Inc. It’s a cross-platform centralised messaging and voice-over-IP service package. It allows users to send text and voice messages, make voice and video calls, share images, documents, user locations, and other content. In recent years it has become very popular and is increasingly used for business communication.
In the latest scam, criminals target a particular WhatsApp user’s account and poses as that user to send a message to one of the account’s contacts. This is sent at around the same time as a text or email is received by that contact from WhatsApp, which contains a verification code that the hacker has requested by posing as the contact.
The scammer explains that they accidentally requested the code to be sent to the contact’s number and ask that it be sent to them.
If it’s given, the code will enable the scammer to take over the account. Now they can read private messages and try further scams on a new set of contacts.
The UK Police have been involved in trying to educate people. These are their basic advisory guidelines.
- Never share the six-digit registration code you received via SMS with other people
- Enable two-step verification (this is also known as MFA, Multi-Factor Authentication)
- Protect your data, for example by only allowing your contacts to see your profile photo
Any individual who receives such a message from a contact is advised to call them, to verify directly.
Although this scam has been in circulation before, WhatsApp has attracted interest because more and more businesses are using it.
Criminals that gain access to WhatsApp accounts can launch attacks against contacts, snoop on conversations or try to compromise business accounts or conduct fraudulent transactions. Again, if they get in to an account they can lie low for a while or try scams immediately.
The key is to remain vigilant at all times and be suspicious of unexpected or odd messages. If a friend or associate makes an unusual request, you should try to contact them outside of WhatsApp to determine if the request is genuine or not. MFA or secure login codes, sent via text or in the app should never be shared with anyone. If someone genuinely needs to contact you, they will reach out to you by phone or in person.
Concerns have arisen about the security of WhatsApp. Users began moving away to alternate platforms such as Telegram and Signal. In January Telegram had 500 million users compared to WhatsApp with approximately 1.6 Billion users. There were and still are concerns on the security flaws inherent in WhatsApp.
Another issue to be wary of is WhatsApp’s Export feature. In making the change from WhatsApp to one of the alternates it’s very easy to move contacts and chat history across. It’s worth reflecting exactly how secure the process for moving contacts is. Effectively, you are shifting your data to an alternate cloud service where, although the chat is encrypted, perhaps the data transfer and storage may not be as secure. So the key here is do your homework, perhaps trial any new programs, weigh up the pros and cons, do some research. It is certainly true today that we need to safeguard every aspect of our digital lives.
Tread cautiously, don’t rush into things without careful thought and planning.
This is the new cyber world. It starts here with educating people to be mindful. These skills should be used at work and at home.
The rules for individuals and businesses are the same. There is no harm engaging your staff, or your family, or your friends and talk through appropriate security awareness. Discuss the risks that can arise through social media and chat applications.
A major event occurred this year when over 10 billion credentials were made freely available on the internet – the Dark Web.
The 100GB “RockYou2021” TXT file leaked 8.4 billion to a dark web forum.
Personal data of over 530 million Facebook users was posted in a low-level hacking forum, and 700 million accounts have just been released for sale on RaidForums by a hacker calling himself ‘GOD User TomLiner.’
All this is before a single reported breach by companies is accounted for. With that, attackers now have an enormous pool of users to go after.
These incidents show how a threat actor doesn’t have to be an advanced cyber-criminal or a nation-state hacker. The bar to entry is very low, as malware and pre-built phishing kits are available for just a few pounds online. All of your contacts represent a significant part of your digital footprint and exposure risk. Breadcrumbs scattered throughout the web may lead the hackers to your door.
If you want our advice on what action to take to mitigate security breaches, talk to us now on 01444 871200