WhatsApp accounts getting stolen with this nasty trick: What to do

1. Home
2. News
3. Security

WhatsApp accounts getting stolen with this nasty flim-flam: What to do

(Image credit: Anadolu Agency / Getty Images)

In April, nosotros saw a WhatsApp vulnerability that allow anyone hijack your account if they knew your phone number and could glance at your phone'due south screen.

Now it looks like someone has weaponized that WhatsApp flaw to trick you into giving up your account without the attacker e'er needing to see your screen.

• WhatsApp just got killer upgrades — here'south everything that'southward new
• Best conversation apps: Go along up to date when you're on the become
• New: Cybercrime rife in adult countries, on rising, says new study

This information comes to us in the form of a single tweet by a young man in Paraguay who posted a screenshot of what appears to exist a WhatsApp phishing message in Spanish purporting to come up from WhatsApp itself.

Hey, assist me. What is this? It is real? pic.twitter.com/tn0WSiKV13May 27, 2020

Meet more

Nosotros can't verify that the message is real, and we haven't heard of any other incidents involving this scam, but the attack method makes sense and it would be pretty like shooting fish in a barrel for an attacker to pull off.

Our Spanish is pretty rusty, only thank you to our collegue Kate Kozuch and besides Google Translate, the message claims to be from the "WhatsApp support team" and states that someone has registered a WhatsApp account using your phone number.

The message goes on to say that the recipient has been sent "a request for identity verification" using SMS.

A standard feature of WhatsApp's two-factor-authentication (2FA) method for preventing business relationship theft is to send the account possessor a half dozen-digit old use lawmaking to the older phone number to verify that the account possessor has indeed requested a number modify or is moving the WhatsApp account to new phone.

The trouble, as we reported in April, is that the texted 2FA code will past default display on the former phone'south screen, locked or not. Anyone who can watch your screen in the few seconds after requesting the (phony) number change or device change volition be able to steal your business relationship.

How to avoid this scam

Fortunately, every bit we explained in Apr, it's pretty easy to avoid falling victim to this scam. You lot demand just to add a Pivot to your WhatsApp account.

Go into the WhatsApp settings on your telephone, tap Account and and then tap Two-Step Verification. You'll and then have to create a six-digit PIN, which you will be asked to enter if you move your WhatsApp account to a new phone.

No need to see your screen

This new twist reported by the human being in Paraguay eliminates the need for the assaulter to encounter your screen, since the assaulter is going to play tricks yous into giving him the code yourself.

The message chop-chop veers into pure scam territory, stating that "If you fail to laissez passer the verification or abandon the endeavour, an indefinite interruption will be generated."

That'due south a classic confidence-scheme call to action, threatening you with deprival of service unless you act now. In reality, WhatsApp would not suspend your account for not verifying a change request.

The original poster didn't post the entire message, but the implication is that you'll be asked to forward the one-time 2FA code to the message sender. If and so, then the message sender will be able to hijack your WhatsApp business relationship.

"This is #FAKE," wrote the WABetaInfo Twitter account, to which the original Paraguayan affiche had appealed for help. "WhatsApp doesn't message yous on WhatsApp, and if they practise (for global announcements, just information technology's soooo rare), a dark-green verified indicator is visible. WhatsApp never asks your data or verification codes."

This is #False. WhatsApp doesn't message you on WhatsApp, and if they do (for global announcements, just information technology's soooo rare), a green verified indicator is visible.WhatsApp never asks your data or verification codes.@WhatsApp should ban this account. 😅 https://t.co/nnOehPL8CaMay 27, 2020

Come across more than

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He'due south been rooting around in the information-security space for more 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random Television receiver news spots and even moderated a panel discussion at the CEDIA dwelling house-engineering conference. Y'all tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/whatsapp-hijack-attack

Posted by: howarthyesquir.blogspot.com

Share this post