The scam that steals WhatsApp from users (account takeover) is completing two years and several themes were used: confirmation of an ad, invitation to VIP party and it even evolved into the account clone stealing the victim's photo. To avoid the scheme, the only way is to activate two-step verification, in which the user creates a personal password that is requested at the time of installation. And it seems that this resource has finally become popular! Kaspersky experts have just found a scheme that aims to circumvent this protection, through social engineering and a request to WhatsApp support. There are no changes at the beginning of the scheme. The victim receives a call from criminals who present themselves as representatives of the Ministry of Health and ask if they can conduct a survey on Covid-19. The whole staging has a clear objective: to make the person pass the code of six numbers that is sent via SMS to "confirm the accomplishment of the research". If the victim pays no attention to the message and informs the code, the account can be stolen.
The change occurs when the scammer is faced with the screen that asks for the password of the authentication in two steps. When this happens, they end the call for the alleged search and call the victim again, but this time, the criminals impersonate the messaging app, explain that the company has identified malicious activity on the account and instruct the victim to access your email to perform the double authentication record. What surprised the Kaspersky experts the most is that, in fact, the victim receives a legitimate email message from the messaging app titled “Two-Step Verification Reset” (Two Step Verification Rescue) with a link to disable additional protection. After analysis, Fabio Assolini, Kaspersky's senior security researcher, points out that criminals' social engineering has reached a new level.
Want to earn Bitcoins?
We help you with that.
Open a free account!
“Both the message and the link to recover the double authentication are legitimate, that is, they were sent by the owner of the application. In the same way that we can request the recovery of a password in an online store, we can request the recovery of the double authentication of the messaging app, in case the password is forgotten. The scam relies on social engineering, forcing victims to click on the link received by email ”, explains the Kaspersky expert. Just click here if you are already an investor
Assolini ends by explaining that the criminals remain on the line while the victim accesses the email and the link and points out that the landing page, in fact, disables authentication in two steps. “The idea here is to allow the person to create a new password when activating the function again. But the criminals take advantage of the fact that the account is unprotected and use the temporary code received on the first call to perform the installation on their device and thus continue with the scam, contacting friends and family to ask for money ”, details the researcher The only way for users to avoid falling for this new scam is to be suspicious or to know in advance that it exists. According to Assolini, only the company can give a definitive solution to this and end the account takeover scams. “From the point of view of security, the application should improve the process of recovering double authentication by allowing re-registration on the company's own page, instead of performing the deactivation. In this way, this scheme would be rendered unfeasible ”, he concludes.
To avoid being a victim, Kaspersky recommends:
Enable dual authentication (six-digit code) on WhatsApp. To create it, follow the steps below:
Go to the “settings” menu in the upper right corner
Enter the “Settings” option
Then click on “Account”
Select “2-step verification
Create a six-digit code that will be your double authentication.
Request that your number be removed from the lists of application IDs that identify calls; they can be used by scammers to find your number from your name.
Never disable two-factor authentication, unless the person forgets the password and makes this request. Text originally published in 1 billion.