After widespread outrage over its new terms of service (ToS), a new security issue has surfaced for WhatsApp now. According to reports, URLs are appearing on the platform which show a prompt that suggests that a one time password (OTP) has been delivered on their number. These URLs are available easily on the open Internet and are being used by scammers to target unsuspecting users. The scammers try to convince these users that they are getting calls on behalf of WhatsApp and ask them for the OTP, which lets them take over access to the private WhatsApp accounts of these users. Doing so will bypass end-to-end encryption and allow these scammers to read any and all chats coming to that WhatsApp account.
Once a scammer gets access, WhatsApp will stop working on the user’s own phone, because the app allows only one phone per account. Cybercriminals can then use these accounts for a variety of purposes, including sending files with malware to a users’ friends, accessing WhatsApp Pay accounts, gleaning private information by speaking to their friends and more. The URLs are also easy to modify, which allows these scammers to dupe even the more tech savvy users at times.
According to a report by News18, the technique is quite common in India and has been common in Jharkhand’s Jamtara area. Netflix made a show on Jamtara for banking related scams that originate here. “Online thugs from these circles use this URL and use terms like ‘policy update’ to dupe users, and then demand the real OTP to hack WhatsApp accounts, Rajshekha Rajaharia, an independent cyber security researcher told News18.
WhatsApp’s end-to-end encryption protects users’ messages being read by any party that inserts themself between the sender and receiver of a message. However, if a scammer gets access to a person’s account, that means they now act like the actual owner of the account, which encryption cannot protect against. They will still need to have your friends’ phone numbers to speak to them, but they can get in touch with businesses communicating with the particular WhatsApp account.
It’s unclear whether WhatsApp is working on a fix for this issue, or whether the company is aware of the problem at this point.