In this pandemic, use of instant messaging applications has seen a spike and WhatsApp is one of the platforms which is being used by almost all netizens, worldwide. As expected it is also being targeted by hackers, since many don’t follow the security best practices as advised by platform providers.
What is the WhatsApp OTP scam?
BtCIRT has recently come to know of a WhatsApp OTP scam or hack where the victim receives a message from a contact asking to forward the One Time Password (OTP) that the victim will receive, implying that they are having issues with receiving the code, so had it sent to the victim or have sent it by mistake. The victim then forwards the 6 digit pin code, which the contact, who is actually an imposter, then uses to hijack the victim’s account. As per WhatApp security, the messages are saved on device and not WhatsApp servers therefore, there is no risk that backed up messages can be hijacked, but the attacker will be able to see the groups you are in and the messages you receive from the time of account being hijacked.
How does it work?
When you first install WhatsApp on your phone you have to register with your phone number, the platform then sends an OTP via sms, which when entered authenticates your phone number. If a WhatsApp account is hacked and hijacked, then the cyber criminal behind it can have access to all the contacts and groups within that account. The criminal can then target any of the contacts. With this scam, since the criminal knows the target victim’s phone number, the number can be used to sign up with WhatsApp on the criminal’s device. That’s when the OTP gets sent to the victim’s phone number and the victim is requested to forward the OTP as explained above. The criminal here uses a social engineering technique making requests to unsuspecting friends and family and scamming them in the process. That’s their main intent, as who wouldn’t want to help a friend or family in despair.
What to do if you are a victim?
If you are a victim of the scam, then reinstall and reset WhatsApp immediately with a fresh activation code or OTP.
BtCIRT would like to advise all to adhere to the following guidelines and recommendations with regards to the WhatsApp OTP scam messages:
- Never share your OTP with any of your contacts, not to your family, not to your friends! Always confirm if the message is genuine.
- If you receive messages of distress or emergency requests from your contacts asking you to send money or some other requests, confirm if the emergency is genuine.
- Enable 2 factor authentication (2FA) on WhatsApp. Go to Settings->Account->Two-Step Verification->Enable. It will ask you to input a 6-digit pin of your own as shown in the picture below. This is different from the OTP which is sent by WhatsApp.
WhatsApp will ask for this code when you change your phone or once in a while, while using your app to ensure security of your account.
- Follow the same for other platforms and services. Don’t share OTP for any platforms or services that you use and enable 2FA for all your accounts including your email account.
- Every service or platform has their own security recommendation which you need to ensure are enabled or followed. Check this guide by WhatsApp on how to stay safe on Whatsapp and this on how to recover stolen accounts.
References:
- https://www.forbes.com/sites/zakdoffman/2020/03/29/new-whatsapp-attack-thieves-now-using-this-hack-to-steal-accounts-update-your-security-settings/?sh=3e57e8741db4
- https://www.forbes.com/sites/zakdoffman/2020/01/25/whatsapp-users-beware-this-stupidly-simple-new-hack-puts-you-at-riskheres-what-you-do/?sh=da59b9a1d764
- https://www.business-standard.com/article/technology/whatsapp-otp-scam-what-is-it-how-it-works-other-things-you-need-to-know-120112400166_1.html