Phishing Campaign Targets WhatsApp Accounts

Researchers at Gen warn that a phishing campaign is attempting to trick users into linking malicious devices to their WhatsApp accounts.

The attack begins with an unsolicited message stating, “Hey, I just found your photo!” along with a link to a spoofed Facebook login page. Instead of trying to steal users’ Facebook credentials, however, the attackers are attempting to gain access to victims’ WhatsApp accounts.

“This page has two purposes,” the researchers explain. “First, it creates a sense of familiarity that encourages the user to trust the page. People expect Facebook to ask for some kind of confirmation from time to time. Seeing a login button or a verification step feels normal. Second, it acts as the attacker’s control panel. The page is not connecting with Facebook but rather mediating between the victim and the legitimate WhatsApp Web infrastructure that the attacker is abusing.”

The phishing page either shows a QR code or contains a field for the user to enter their phone number. The attack proceeds as follows:

1. “The victim types their phone number on the fake page.
2. “The page forwards that number to WhatsApp’s legitimate “link device via phone number” feature.
3. “WhatsApp generates a pairing code that is meant to be seen only by the account owner.
4. The attacker’s site takes that code and displays it back to the victim with text that suggests they should ‘enter this in WhatsApp to confirm the login and see the photo.’
5. “The victim opens WhatsApp, sees the pairing prompt, and enters the code, believing they are completing a security check.”

Once the malicious device is paired, the attacker has full access to the victim’s WhatsApp account and can send additional phishing messages to the victim’s contacts.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Gen has the story.