Increased Threat Against WhatsApp Users

Alert Date

Overview:

The Cyber Incident Response Team (CIRT Div.) wishes to inform the public of a growing number of scams circulating on WhatsApp that are designed to deceive individuals into clicking on malicious links that may compromise personal or financial information. In addition to the scams, there have been cases of WhatsApp hijacking. 

WhatsApp account hijacking occurs when an unauthorized person gains control over your WhatsApp account. This typically involves the hacker either accessing your device, tricking you into giving away your verification code, or using a vulnerability in your account security. Once a hacker gains control of your account, they can impersonate you, access your contacts, send messages, or perform other malicious activities.

 

Different Forms of WhatsApp Account Hijacking

There are several ways in which your WhatsApp account can be hijacked. Here are some of the ways in which it can occur. 

  1. SIM Swap Attack
    • How It Happens: A hacker tricks your mobile carrier into transferring your phone number to a new SIM card. Once they have the new SIM, they can use it to access your WhatsApp account.
    • Indicators:
      • Your phone loses service suddenly.
      • You receive an unexpected verification code.
      • You are unable to make calls or send texts on your device, but your number is still active.
  2. Phishing
    • How It Happens: Phishing is when a hacker impersonates a legitimate entity (like WhatsApp itself) to deceive you into revealing personal information. This could be through fraudulent emails, text messages, or fake login pages that request your verification code.
    • Indicators:
      • You receive unsolicited messages asking for your verification code.
      • You’re prompted to click on a link that looks like a WhatsApp page but is actually a fraudulent site.
  3. Malware or Spyware
    • How It Happens: If your device is infected with malicious software (malware) or spyware, the hacker can secretly monitor your activity and potentially access your WhatsApp account. This usually happens when you download untrusted apps or click on harmful links.
    • Indicators:
      • Your device runs slower than usual.
      • Unusual activity on your device or messages are sent from your WhatsApp account without your knowledge.
      • You notice strange apps on your phone that you didn’t install.
  4. Social Engineering
    • How It Happens: A hacker may try to manipulate you into giving them access to your account. This could be by impersonating a friend, colleague, or even WhatsApp support and convincing you to share your verification code or reset your account.
    • Indicators:
      • Someone contacts you claiming to be WhatsApp support or a friend asking for help and requesting verification codes.
      • You are asked to perform actions that seem out of the ordinary, such as sharing codes or resetting your password.
  5. Device or Account Hacking (Physical or Remote)
    • How It Happens: If a hacker physically gains access to your phone or can remotely control it (via Wi-Fi vulnerabilities, for example), they can install malicious software or directly log into your WhatsApp account. This is especially risky if your phone is not properly secured (no PIN, password, or biometric lock).
    • Indicators:
      • You are suddenly logged out of WhatsApp.
      • Messages are sent from your account that you didn’t write.
      • You notice unfamiliar apps or settings on your phone.
  6. Verification Trick
    • What It Is: This scam involves deceiving victims into sharing their WhatsApp verification code. The scammer impersonates a trusted contact, such as a friend, colleague, or family member, and claims that they accidentally sent the verification code to the wrong person. They then request the victim to send the code back.
    • How It Happens: The scammer sends a message that looks like it’s from a trusted contact, requesting the verification code. Once the code is provided, the scammer gains full access to the victim’s WhatsApp account.
  7. Compromised App
    • What It Is: Some third-party apps, especially those claiming to enhance WhatsApp’s functionality, come preloaded with malware. Once installed, these apps can expose personal data or inject malware into WhatsApp. Only download apps from official sources, like the Google Play Store or Apple App Store. Avoid third-party apps that promise to unlock extra WhatsApp features or enhance performance.
    • How It Happens: The compromised app sends spam or malicious links to your WhatsApp contacts, potentially causing widespread damage. These apps may also collect and leak sensitive information, such as passwords or personal data.
  8. Broadcast Channel Money Scam
    • What It Is: Once a hacker has gained control of your WhatsApp account, they may create a broadcast channel to impersonate you and ask your contacts for money.
    • How It Happens: After hijacking your account, the scammer creates a broadcast list to send messages to your contacts, pretending to be you. They might claim to be in an emergency situation and urgently need money, often asking for transfers via digital payment platforms (e.g., PayPal, Zelle, cryptocurrency). Since the message comes from your account, your contacts may believe it is  genuine and send money.

 

Comprehensive Cheat sheet

If your WhatsApp account is hijacked, it's critical to act quickly to regain control and protect your personal information. Here's a comprehensive cheatsheet for users dealing with different scenarios of WhatsApp account hijacking.

1. If You Suspect Your Account is Hijacked

  • Signs of Hijacking:
    • You are logged out of WhatsApp suddenly.
    • You receive login attempts or verification codes you didn’t request.
    • Your contacts report suspicious messages coming from your account.

What to do:

  • Try to log in again:
    • Open WhatsApp on your device and attempt to log in.
    • If you’re logged out, WhatsApp will send a verification code to your phone number.
  • Verify your phone number:
    • Enter the 6-digit code sent to you via SMS or a phone call to regain access.
    • You’re receiving notifications on your phone that your WhatsApp account is being used on another device.

2. If Your Phone Number Was Used to Register WhatsApp on Another Device

What to do:

  • Log out of all devices:
    1. Open WhatsApp on your device.
    2. Go to Settings > Linked Devices.
    3. Log out of all linked devices.
  • Re-enable Two-Step Verification:
    1. This step ensures that nobody can verify your phone number on another device without your PIN.
    2. Go to Settings > Account > Two-step verification and enable it.

3.  If Your Number Has Been Repurposed by the Telecom (SIM Swap or Number Reuse)

In some cases, even if your SIM card is still in your possession, your number may have been repurposed by your telecom provider. This typically happens when the telecom operator reassigns an old or inactive phone number to a new user after a certain period of inactivity, that is, 

  • You cannot receive WhatsApp verification codes, even though your SIM card is still active in your phone.
  • You are logged out of WhatsApp, and when trying to log in, you receive a verification code that you did not request.
  • You receive a call or SMS from the telecom provider indicating that your number is being reassigned, or your number is no longer recognized on their network.

What to Do:

  • Check Your Telecom Provider's Status:
    • Immediately contact your telecom provider to confirm if your number has been reassigned or repurposed. Explain your situation and ask them to lock or block any unauthorized attempts to port or reuse your number.
  • Regain Access to WhatsApp:
    • Request a New SIM Card:
      • If your number has indeed been reassigned, request a new SIM card with the same number from your telecom provider. Ensure they lock the number to prevent further issues.
    • Verify Your Account with the New SIM Card:
      • Once you receive your new SIM card, insert it into your phone and reattempt the WhatsApp login process.
      • WhatsApp will send a verification code to your phone number. Enter this code to regain access.
  • Enable Two-Step Verification:
    • To prevent future hijacking, enable WhatsApp's Two-Step Verification feature. This adds an extra layer of security by requiring a PIN in addition to the verification code sent to your phone.
  • Contact WhatsApp Support:
    • If you're unable to regain access, contact WhatsApp support for further assistance. Provide them with as much information as possible, including your phone number and any suspicious activity you've noticed.
    • You can’t access your phone or WhatsApp due to theft or loss.

4. If Your Phone is Stolen or Lost

What to do:

  • Suspend your WhatsApp account:
    • Contact WhatsApp support via email at support@whatsapp.com with the subject "Lost/Stolen Phone: Please deactivate my account".
    • Provide your phone number in full international format (e.g., +1 876 for Jamaica, +1 for the USA, +44 for the UK).
  • Request a new SIM card:
    • Contact your mobile carrier to block the lost or stolen SIM and request a new one with your original number.
  • Reinstall WhatsApp:
    • Once you get your new SIM, reinstall WhatsApp and verify your phone number.

5. If You Lost Access to WhatsApp as a consequence of Social Engineering

  • Signs of Hijacking:
    • Suspicious messages are being sent to your contacts.
    • You didn’t give anyone permission to access your account.

What to do:

  • Alert your contacts:
    • Inform your contacts that your account was compromised, and advise them not to click any suspicious links or provide personal details.
  • Enable Two-Step Verification:
    • Go to Settings > Account > Two-step verification and enable it to prevent further unauthorized access.
  • Check for Suspicious Activity:
    • Go to Settings > Privacy > Last Seen and Settings > Security to check if any unfamiliar information or devices have access to your account.

6. If Your Account is Hacked After Receiving a Phishing Message

  • Signs of Hijacking:
    • You clicked on a suspicious link or provided personal information (e.g. verification code).

What to do:

  • Log out of any active sessions:
    • Open WhatsApp on your device and go to Settings > Linked Devices to log out of all linked devices.
  • Change your password (if using two-step verification):
    • Go to Settings > Account > Two-step verification and reset your PIN.
  • Report the Phishing:
    • Forward the phishing message to spam@whatsapp.com for investigation. This will help WhatsApp identify and take action against the source of the phishing attempt.
  • Warn your contacts:
    • Let your contacts know that your account was compromised via phishing and that they should avoid engaging with suspicious links.

7. If You Receive a Verification Code You Didn’t Request

What to do:

  • Don’t share the verification code:
    • Ignore the code, and don’t share it with anyone.
  • Block the hacker’s number (if known):
    • If you suspect a specific person is attempting to hijack your account, block them from your phone's contact list.
  • Enable Two-Step Verification:
    • If not already enabled, set up two-step verification immediately by going to Settings > Account > Two-step verification.
    • You’ve been locked out of your account and cannot access your messages or profile.

8.  If Your WhatsApp is Hacked and You Cannot Log in

What to do:

  • Request a new verification code:
    • Open WhatsApp: Launch the WhatsApp app on your phone.
    • Enter Your Phone Number: When prompted, enter the phone number associated with your WhatsApp account. Make sure to include the correct country code.
    • Request Code: WhatsApp will send a 6-digit verification code to the phone number you entered.
    • Enter the Code: Once you receive the code, enter it into the WhatsApp verification screen to log in.

This may come as an SMS or a phone call, depending on your region and WhatsApp's settings.

  • Contact WhatsApp Support:
    • If you're still unable to regain access, email support@whatsapp.com with a detailed explanation, including:
      • Your phone number (with country code).
      • A clear explanation of the issue (e.g., unable to log in or receive verification codes).
  • Ask for account restoration:
    • Mention if your account has been hijacked, and request WhatsApp to investigate and restore access.

9. If Your Account is Hijacked, and the Hacker Changed Your Phone Number

  • Signs of Hijacking:
    • Your WhatsApp account is linked to a different phone number that you didn’t set.

What to Do:

  1. Contact WhatsApp Support Immediately:
    • Email WhatsApp: Send an email to support@whatsapp.com explaining that your account’s phone number was changed without your consent.
      • Include your original phone number (with the country code).
      • Describe the situation in detail, including any unusual activities or signs that led you to believe your account was hijacked.
    • Request Account Lock: Ask WhatsApp to lock your account to prevent further unauthorized access.
    • Ask for Account Recovery: Request WhatsApp to initiate an account recovery process to restore access to your original phone number.
  2. Verify Your Original Phone Number:
    • WhatsApp Will Lock Your Account: Once your account is locked, WhatsApp will begin the process of verifying your identity.
    • Follow the Instructions: You’ll be asked to verify your original phone number (the one you used when setting up WhatsApp).
      • WhatsApp will send a 6-digit verification code to this phone number via SMS or a voice call.
    • Regain Access: Once you enter the correct code, you will regain access to your WhatsApp account, and the hijacker’s number will be removed.

The CIRT urges users to remain vigilant, especially during the holiday season when cybercriminals often intensify their efforts. Common tactics being used include phishing and smishing, which involve fake messages or links that attempt to steal sensitive data or install malware on devices.

Additional Preventative Measures

  • Enable Two-Step Verification: This adds an extra layer of security, requiring both your SIM card and a personal PIN.
    • To enable: Go to Settings > Account > Two-Step Verification and follow the instructions.
  • Never Share Your Verification Code: Always keep your 6-digit verification code private, even if someone claims to be from WhatsApp.
  • Beware of Suspicious Links and Attachments: Never click on links or open attachments from unknown or untrusted sources.
  • Use a Strong Device Lock: Set a PIN, password, or biometric security (fingerprint/face recognition) on your phone to prevent unauthorized access.
  • Regularly check your broadcast lists and message history to identify any suspicious activity.