Muscat: A newly identified phishing campaign is targeting WhatsApp users through a deceptive voting scheme. This attack entices victims with a voting page that supposedly showcases young athletes, although other voting subjects are also being misused, according to Kaspersky.
"The technique can be easily adapted for various scenarios, and the primary objective of the attackers is to take over WhatsApp accounts," the company cautions.
Kaspersky elaborates that the scam starts with users being led to a seemingly credible webpage that claims to host a voting contest. For example, the page may display images of athletes, each paired with a "Vote" button and real-time counters showing purported vote totals and the number of participants.
These features create a misleading sense of legitimacy, prompting user interaction. The page also asserts that anyone can join the contest after "authorization," with winners receiving prizes from "sponsors."
When users click on either the "Vote" or "Authorize" buttons, they are redirected to a fraudulent site that urges them to "quickly and easily" authorize through WhatsApp. Users are then asked to provide their mobile phone number linked to their WhatsApp account.
The attackers exploit the WhatsApp feature to log into the messenger's web interface using a one-time code: they enter the victim's phone number to access WhatsApp Web, and the system generates a 6-digit code that the scam website subsequently replicates.
Kaspersky further states that when a user enters this code into the app on their smartphone, the web session initiated by the attackers becomes active, enabling them to monitor the victim, send messages, and ultimately seize control of the account.
To safeguard against such hijacking scams, Kaspersky suggests the following:
* Enable two-step verification: Turn on WhatsApp’s two-step verification feature to provide an additional layer of security, which requires a PIN for accessing the account.
* Verify website authenticity: Refrain from entering personal information on unknown websites, particularly those accessed through unsolicited links. Always verify the URL for authenticity.
* Never share verification codes: WhatsApp will never request your verification code. Do not share it with anyone, nor accept it from anyone, even if it appears to come from a trusted source.
* Utilize reliable and established security software to identify and block harmful websites and links.
