The hijacking of WhatsApp accounts is one of the most repeated cyberattacks in recent years. The modus operandi is simple: all cybercriminals need is for the legitimate user of the profile to communicate a code sent by the app, necessary to activate it on another device. The latest variant of this scam is for cybercriminals to pretend to be Social Security workers calling the victim to schedule the third dose of the coronavirus vaccine.
So has alerted the National Cybersecurity Institute (Incibe), which warns that “in recent days calls have been detected to users impersonating the Social Security identity, in which they are asked for a code that they have received via SMS on their mobile devices “. “In the call, the user is told that it is a verification code to receive the third dose of the COVID-19 vaccine but in reality it is the verification code that WhatsApp sends to be able to log in from another device,” he details.
The sending of this code to the user by WhatsApp is requested by the cybercriminals themselves. The code is the method that the application uses to verify that the original owner of the account is the person who is trying to activate it on another device. If cybercriminals get hold of it, they will gain full access to the account, which they will use to prevent the original user from continuing to use it. They will then try to get the most out of it, either by employing it in other scams or by blackmailing the victim into paying a ransom to get it back.
Since the beginning of this year in 2021, the WhatsApp account hijacking campaigns have intensified in Spain. The most repeated hook so far by cybercriminals was pretending to be a close contact of the victim, whose account had also been previously stolen. In that case, instead of a call from fake Social Security workers, what the victim receives is a message from the number of an acquaintance saying that he has sent a code “by mistake.” “Can you pass it to me, please? It’s urgent,” the message reads, prepared to try to stop the victim from reflecting on what is happening and sharing the code.
Scam from Latin America
In recent days, Spanish WhatsApp users had shared a warning chain about this hacking campaign based on a false citation for the third dose of the vaccine. However, until the alert issued by the Incibe, the Ministry of Health and the security forces had denied that they were aware that this scam was active in Spain.
According to the chain trace he carried out Newtral, this had jumped to Spanish users from Latin America, where some institutions have warned of the identity theft campaign by cybercriminals. One of them is the Ministry of Health of Colombia, whose name also coincides with the reference to the “Ministry of Health” that is given in the warning message of the WhatsApp chain and that does not exist as such in Spain. The Chilean Ministry of Health also has warned of the situation.
Finally, groups of cybercriminals have decided to replicate in Spain the same tactic as in Latin America, the Incibe has detected. The Ministry of Health also recalls that in Spain the call to receive the third dose of the coronavirus vaccine is made from the health departments of the autonomous communities and that their workers in no case call citizens for this reason.
Recover WhatsApp account
In the message sent by WhatsApp with the code to activate the account on a new device, the user is reminded that “they should not share it with anyone.” However, if you have fallen into one of these traps and have lost access to the account, the application has a method to recover it that follows the same process that the cybercriminals used to hijack it: ask the app for a verification code from the original owner’s phone.
The new code will arrive via SMS and must be entered in the application. “The code is unique and changes every time you verify a new phone number or device”, explain WhatsApp, who gives specific instructions for Android phones and to iPhone phones. This process can take several days, but the company remembers that cybercriminals will not have access to old conversations, since they are stored on the device.
It is important that if you have been a victim, you notify your contacts of what happened in another way so that they are aware that it is not you who is writing to them
National Cybersecurity Institute
WhastApp’s recommendation to its users is to activate the two-step verification, which adds an additional layer of security and allows speeding up the recovery of the account in case it is stolen. “You must wait seven days to be able to verify your number without the two-step verification code. Regardless of whether you know the two-step verification code or not, the session of the person with access to your account will be closed as soon as you enter the code of six digits sent by SMS message “, details the application.
Given that cybercriminals often use the hijacked account to steal others, from the Incibe they emphasize that “it is important that if you have been a victim, additionally, you notify your contacts of what happened by other means (phone call, email, social network, SMS, etc.), so that they are aware that it is not you, or the one who is writing to them, or requesting their verification code “.