Muscat, June 12 – Oman CERT (Oman National Computer Emergency Readiness Team (OCERT) has warned against hacking of WhatsApp accounts using social engineering techniques. Highlighting the number of reports of WhatsApp accounts being compromised through such techniques for getting a verification code from the unsuspecting victims, Oman CERT said in a statement: “The compromised accounts are used to impersonate the account owner and seek money transfer from the victim’s contact list.” WhatsApp is one of the most used social media applications in Oman.
One of its vulnerabilities is that people are chosen to become members of groups.
“WhatsApp is favoured by different age groups. However, there are other social media coming into play. People who like to share photographs choose Instagram, while there are others who like SnapChat. CEOs and commercial entities prefer Twitter. But all of them use WhatsApp,” said Haitham bin Hilal al Hajri, a cyber security expert.
The attack itself is old, but it has now come back.
The attacker sends a URL to a person and once he/she clicks on it, a new code is sent where WhatsApp has been installed. After that, the attacker manages the code and activation and the victim will no longer be able to control his/her WhatsApp account.
The attacker has access to victim’s family and friends. He might ask them for money on the pretext of being in debt or being stranded somewhere.
“A victim must reinstall the application into the phone and ask for a code, but it will take up to 16 hours to get a new code.
“The attacker will be able to control your account for 16 hours,” said Al Hajri. “The 16-hour gap is a safety measure for WhatsApp to ensure the same code is not used in more than one device.” Another issue has been the WhatsApp groups.
Al Hajri said, “It is not recommended to be in a group with people unknown to you because some people can scan others in addition to the danger of being exposed to infected malware or exchange links that has malware on them. In other words, you cannot control the type of conversation that can be carried out in a group.”
WhatsApp hacking depends on social engineering techniques where the victim is tricked to hand over the verification code to the attacker. The victim is lured to believe he/she has won a prize or something and that the code is to verify the individual is the sole owner of the phone number.
“In addition, there are some suspicious links that may be infected with malware that has been circulated in different social media platforms.
Once activated with a click, the link will carry out malicious deed by requesting to download an infected app,” he said.
Al Hajri, a researcher at Binary University of Management and Entrepreneurship, said users are advised to protect their social media accounts by enabling a two-step verification in settings on their favourite social media app.
“Never respond to any third party advertisements and always go to official channels to enquire about any promotion or winnings.”
“Under any circumstances, never share personal or financial information over unverified social media contacts and refrain from answering or sharing any activation codes,” he said.