In April, a vulnerability was discovered in WhatsApp that allowed anyone with a phone number and access to your screen to take over your account.
And now, it appears that this WhatsApp flaw can be used as a weapon to trick your account without the attacker ever seeing your screen.
This information was brought to our attention by a tweet from a young Paraguayan who posted a screenshot of a phishing message in Spanish that appeared to be from WhatsApp.
We have not been able to confirm if the message is authentic and have not heard of any other incidents related to this scam, but the method of attack makes sense and would be fairly easy for the attacker.
Our Spanish is pretty rusty, but thanks to my colleague Kate Kozuch and Google Translate, the message claims to be from the "WhatsApp support team" and states that someone registered your WhatsApp account using your phone number.
The message further states that the recipient was sent an "identity verification request" via SMS.
As a standard feature of WhatsApp's two-factor authentication (2FA) method to prevent account theft, a six-digit one-time use code is sent to the old phone number to verify that the account holder has applied for a number change or to migrate their WhatsApp account to a new phone number. ...]
The problem, as we reported in April, is that the 2FA code sent via text will appear on the old phone's screen by default, whether it is locked or not. Anyone who can see your screen for a few seconds after requesting a (phony) number change or device change can steal your account.
Fortunately, as we explained in April, it is very easy to avoid falling victim to this scam: simply add a PIN to your WhatsApp account.
Go into your phone's WhatsApp settings, tap on your account, and tap on two-step verification; a six-digit PIN will be created and will need to be entered when you transfer your WhatsApp account to a new phone.
In this new method, reported by a Paraguayan man, the attacker does not need to see your screen because he tricks you into entering the code himself.
The message quickly deviates into the realm of pure fraud, stating that "failure to pass verification or abandoning the attempt will result in indefinite suspension."
This is a classic trust scam call to action, threatening to deny service unless you act now. In reality, WhatsApp will never suspend an account for failing to confirm a change request.
The original poster did not post the entire message, but implies that the message sender will be asked to forward a one-time 2FA code. If you do so, the message sender can hijack your WhatsApp account.
"This is #FAKE," wrote the WABetaInfo Twitter account, while a contributor in Paraguay asked for help." WhatsApp never sends you messages on WhatsApp, and if they do (for global announcements, but it's soooo rare), you'll see a green confirmed indicator WhatsApp never asks for your data or authentication codes. "
Comments