Whether Jeff Bezos was hacked via WhatsApp or was the Saudi Crown Prince Mohammed Bin Salman. The Facebook-owned messaging app was compromised by security problems this year. Another WhatsApp attack is now in the news. This attack has nothing to do the platform’s integrity or nation state cyberattacks. It is all about our vulnerability to social engineering and complacency in securing our devices.
This social-engineering hack is extremely simple to implement and equally easy to prevent. It takes less than one minute to set up a WhatsApp security setting. After reading this article, please go back to your app and check the settings.
It is crucial to distinguish between the different types of threats when hacking WhatsApp or other messaging platforms. Last year, we witnessed nation state attacks infecting targeted people with spyware. We also saw the risk of crafted media being sent over the platform. Finally, we saw a backdoor that allowed bad actors to lock out the targeted individuals from the messaging app.
WhatsApp software patches were able to fix all of these problems. They closed security gaps and made sure users were safe. However, the latest issue was resolved before it happened. However, users must take action to fix the issue. It’s likely that most, if not all of you, have not done so yet.
A friend warned us in group chat that she had been hacked and advised us not to open any messages from her. Attackers had gained access to her WhatsApp account, and had taken the numbers of other members of the group. The attackers were able to send WhatsApps out to other members of the group, informing them that they were about receive an SMS message. They asked for their help to return it to her. This is social engineering at its finest. It is hard to question the request of a friend.
The SMS message contained a WhatsApp verification code that was used to verify the account of the recipient. They were actually sending it to the attackers by sending it back to their “friend”. These attackers could then take control of the account and continue their scam with a new WhatsApp installation. This is much easier than porting the SIM on a new device. However, the effect is the same. The same scam led to a series of warnings from Singapore police last summer.
The attackers could message the rest as if they were the account holder. They also had the ability to message any contacts whose WhatsApp messages were received following the takeover. There is no legacy data. The target device is unaffected. WhatsApp has been ghosted to an unlegitimate device.
This can be easily avoided. WhatsApp allows you to set up a personal PIN and an email address for use in case you forget your PIN. This is distinct from the six-digit code WhatsApp sends by SMS to verify a new installation. The verification code can be referred to as two-factor authentication. As recent headlines about SMS security have demonstrated, that can be overcome. It is much harder to defeat another security layer, with your own password. Even if the attackers were to receive the code, they wouldn’t have your PIN. Although you shouldn’t send the SMS code to attackers, it is a good idea to add this layer of security.
The “Two-Step Verification” process for WhatsApp can be found in the Settings-Account section of the app. It takes only minutes to set it up.
If you are attacked, the direct risk is not to yourself but to your contacts. They will likely be asked for data and even emergency funds. This is social engineering at its finest. A secure platform that can send a friend a message. These circumstances are not allowed to affect our security.
You can easily reactivate your device by sending a new SMS to the number you received and then transfer it back. They want you to take time to understand what happened, and may send additional SMS codes to confuse your efforts to fix the situation.
It’s surprising to see how many people don’t have the PIN enabled in WhatsApp. Nearly everyone I asked has not set it up yet. If you are the same, please take a minute to set it up. Although I understand that you won’t be sending the verification SMS to “friends” if requested, it is important to do so just in case.