In April, we saw a WhatsApp vulnerability that let anyone hijack your account if they knew your phone number and could glance at your phone's screen.
Now it looks like someone has weaponized that WhatsApp flaw to trick you into giving up your account without the attacker ever needing to see your screen.
- WhatsApp just got killer upgrades — here's everything that's new
- Best chat apps: Keep up to date when you're on the go
- New: Cybercrime rife in developed countries, on rise, says new study
This information comes to us in the form of a single tweet by a young man in Paraguay (opens in new tab) who posted a screenshot of what appears to be a WhatsApp phishing message in Spanish purporting to come from WhatsApp itself.
Hey, help me. What is this? It is real? pic.twitter.com/tn0WSiKV13May 27, 2020
We can't verify that the message is real, and we haven't heard of any other incidents involving this scam, but the attack method makes sense and it would be pretty easy for an attacker to pull off.
Our Spanish is pretty rusty, but thanks to our collegue Kate Kozuch and also Google Translate, the message claims to be from the "WhatsApp support team" and states that someone has registered a WhatsApp account using your phone number.
The message goes on to say that the recipient has been sent "a request for identity verification" using SMS.
A standard feature of WhatsApp's two-factor-authentication (2FA) method for preventing account theft is to send the account owner a six-digit one-time use code to the older phone number to verify that the account owner has indeed requested a number change or is moving the WhatsApp account to new phone.
The problem, as we reported in April, is that the texted 2FA code will by default display on the old phone's screen, locked or not. Anyone who can watch your screen in the few seconds after requesting the (phony) number change or device change will be able to steal your account.
How to avoid this scam
Fortunately, as we explained in April, it's pretty easy to avoid falling victim to this scam. You need only to add a PIN to your WhatsApp account.
Go into the WhatsApp settings on your phone, tap Account and then tap Two-Step Verification. You'll then have to create a six-digit PIN, which you will be asked to enter if you move your WhatsApp account to a new phone.
No need to see your screen
This new twist reported by the man in Paraguay eliminates the need for the attacker to see your screen, since the attacker is going to trick you into giving him the code yourself.
The message quickly veers into pure scam territory, stating that "If you fail to pass the verification or abandon the attempt, an indefinite suspension will be generated."
That's a classic confidence-scheme call to action, threatening you with denial of service unless you act now. In reality, WhatsApp would not suspend your account for not verifying a change request.
The original poster didn't post the entire message, but the implication is that you'll be asked to forward the one-time 2FA code to the message sender. If so, then the message sender will be able to hijack your WhatsApp account.
"This is #FAKE," wrote the WABetaInfo Twitter account (opens in new tab), to which the original Paraguayan poster had appealed for help. "WhatsApp doesn't message you on WhatsApp, and if they do (for global announcements, but it's soooo rare), a green verified indicator is visible. WhatsApp never asks your data or verification codes."
This is #FAKE. WhatsApp doesn't message you on WhatsApp, and if they do (for global announcements, but it's soooo rare), a green verified indicator is visible.WhatsApp never asks your data or verification codes.@WhatsApp should ban this account. 😅 https://t.co/nnOehPL8CaMay 27, 2020