A Simple WhatsApp User Error Can Lead to Big Troubles

Zak Doffman, the CEO of a security company going by the name Digital Barriers and a Forbes contributor, recently stumbled upon an account takeover attack targeting WhatsApp users. It shows once again that for cybercriminals, being able to hack the human psyche could be even more important than being able to hack an online service.

Doffman learned about the attack when a friend of his complained in a group chat that her WhatsApp account had been hacked. She told the others to be wary of the messages that were supposedly coming from her, and she warned everybody not to give away six-digit numbers that they might receive as a text. It sounded somewhat strange at first, but soon, Zak Doffman knew exactly what had happened, and he was rather astounded by how simple and clever the attack is.

A social engineering masterclass

It's impossible to say how widespread the scam is or whether it's aimed at a particular set of users. The way the attack works, however, suggests that whoever organized it is determined to take over as many accounts as possible.

People who are worried about getting their private conversations compromised can breathe a sigh of relief. WhatsApp's use of end-to-end encryption means that if someone logs into your account from a different device, they can't see your chats unless they have also stolen your backup. What they can see, however, are your friends' phone numbers, and they can try to compromise their accounts as well.

They obviously do that from a previously unrecognized device, which means that signing in without a six-digit code that the account owner receives as an SMS is impossible. The attacker uses your already compromised account to impersonate you, however, and they politely ask for the aforementioned code. The attackers hope that the trust established between you and your friend would be enough for the code to be handed over without so much as a hesitation. In most cases, with this, the crooks can take over your friend's account.

It's a classic social engineering attack, and the way it works shows that the victim count could easily spiral out of control. The fact that pulling it off doesn't require a huge financial investment makes it all the more appealing for unsophisticated cybercriminals, which is why we should probably talk about what you can do to keep yourself safe.

How to spot the latest WhatsApp scam?

It's all about knowing how WhatsApp works. If you do, you'd be aware that the six-digit code you've just received was sent because someone is trying to access your account from a different device. With that in mind, it won't be difficult to suspect that something's wrong when someone in your contact list requests the aforementioned code, even if that someone hides behind your best friend's phone number.

If you're familiar with WhatsApp's login process, you'll also know that the app offers a two-factor authentication option that can be activated from the Account section in the app's settings. With two-factor authentication, signing in on a new device will require not only the six-digit code we talked about in the previous paragraphs, but also a PIN, which you create and remember yourself.

Although the attack's design is clever, its success is ultimately dependent on you making a series of simple mistakes. It's up to you to prove that you're better than that.