While several people have started using WhatsApp during the coronavirus outbreak to stay connected with their loved ones, some attackers are leveraging the surge in its usage to easily gain access to user accounts. The process that attackers are using to hijack WhatsApp accounts is known as “social hacking,” and it requires the six-digit security verification code that you receive via an SMS message to activate WhatsApp on your account. Although the flaw has existed for some time, it has reportedly re-emerged in places such as the UK due to the increase in the adoption of WhatsApp.
Under the social hacking attack, the attackers use an already hacked account to contact victims as if they're their known friends. The communication can take place through any social media platform such as Facebook and doesn't require the friends to have a WhatsApp account.
The attackers pretend to have not received the security verification code on their number that is mandatory for registering or signing in again on WhatsApp and tell victims that, thus, they've sent it to them. They then ask the victims to send the code back to them.
In reality, what the attackers send to the affected users is the six-digit code for activating their WhatsApp account. Once the victims provide the code to the attackers, they'll be able to easily gain access to the victims' WhatsApp account.
The issue isn't actually new as some reports have mentioned its existence back in 2018. However, the recent surge in WhatsApp usage due to the coronavirus outbreak that is believed to have increased by 40 percent globally has brought the flaw back in the news.
According to a report by English daily The Telegraph, the attack has re-emerged in the UK. It restricted some WhatsApp users from using the instant messaging app during the pandemic and allowed hackers to message people using the victims' accounts.
WhatsApp hasn't provided any fix for the flaw related to its security code. However, the Facebook-owned company did advise users to not share your security verification code with others. It has also noted in a separate FAQ page that users can get back their stolen account by re-verifying their phone number. This will automatically log out the individual using the account through the social hacking process.
Users are additionally recommended to implement the “Two-Step Verification” setting to protect accounts from being accessed simply through the security code.
You can enable the advanced protection layer on your WhatsApp by going to Settings > Account > Two-Step Verification. This will enable the requirement of a PIN when re-registering your phone number with WhatsApp.
Gadgets 360 has reached out to WhatsApp for a comment/ statement on the increase in attacks using the security verification code and will update this space as and when the company responds.
How are we staying sane during this Coronavirus lockdown? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.