The dark side of WhatsApp

Security Awareness
13 March 2023

 The hidden pitfalls of the app the world has fallen in love with

The years when email seemed like a science fiction tool are not so far behind us. For those who grew up in the era of fax and stamped envelopes, the advent of email, which allowed them to communicate with people far away and send documents of all kinds in real time, was a revolutionary transformation.

Today, not only does it seem absolutely normal, but it’s hard to imagine a way of living and working without email. Technology, however, runs fast, and we always drift behind, in a continuous acceleration, especially of our modes of communication. So much so that email as a tool already seems outdated.

Regarding the world of work, with the definitive clearance of remote working, communications between employees or between companies and employees have increasingly moved from email to other tools, such as the various videoconferencing platforms or messaging programmes, in particular WhatsApp.

Those who work all day in front of the computer can’t have failed to be attracted by the tempting calls of a much more immediate and streamlined form of communication, which has also changed our language and our choice of words: fewer frills and formalities, all much more direct and schematic.

The undisputed leader of this transformation is WhatsApp, the application used today by over 2 billion people, in 180 countries around the world, which for now seems to have no rivals in private exchanges, but which is also taking a lot of traction for business communications.

WhatsApp as a work tool

According to research conducted by Veritas Technologies entitled “Hidden Threats of Business Collaboration Report”, 75% of the 12,500 employees of companies or organisations surveyed use WhatsApp for their work communications frequently, with a peak of 71% claiming to use it to send sensitive information on behalf of the company they work for.

Federprivacy also captured a similar picture of the world of work, recording 52% of respondents who confessed to using WhatsApp to send documents, scans and shared files easily and quickly.

It’s a change in habits that arouses a lot of enthusiasm, but that also has its dark side.
First of all, in terms of security and privacy issues. Suffice it to say that, again according to the same Federprivacy survey, a quarter of respondents confessed to sending sensitive data such as company passwords, confidential customer data, employee salary information, and sometimes even health data, to the wrong recipient.

These are errors and risks that do not seem to discourage users, since 79% of respondents reported that in the future, they would be prepared to use WhatsApp again to share business data.

The Risks of WhatsApp

To all this, the risk of real scams spread through the famous messaging application can be added. There are various types, from malicious links mimicking messages from well-known brands, to theclone app to invite users to install WhatsApp outside the App Store; to classic phishing schemes which work more or less as follows: the victim receives an email message about the possible expiry of their WhatsApp account and is invited to renew their registration, paying by credit card, within 24 hours to avoid losing their history of various messages and content. Of course, in order to proceed, the user must enter the card details, which will end up right in the hands of the criminals.

Social hacking

In addition to this, social hacking can be added, i.e., the intrusions of hackers into accounts with the aim of forcing the victim to pay a ransom.

One of the methods most widely used by hackers involves sharing PINs or security numbers received via text message.
It works like this: a person we trust writes to us on WhatsApp telling us that they must sign up for a certain service but, having made a mistake in the process, they need us to forward them the code that at that same moment was sent to us via text message.
Usually, the unfortunate victim does as they are asked without asking themselves too many questions because they trust the person who writes the message. And maybe they are also in a hurry or distracted. From that moment, however, the problems will begin: after a few seconds, the user will find themselves locked out from their WhatsApp account without any access to chats and contacts. Those 6 numbers, actually, were exactly the security code that the hacker needed to associate the victim’s phone number with another phone and start spamming again with our contacts.
The catch is just this: first the cybercriminal targets a friend or relative and then tries to repeat the same scam with all the contacts that they can find.

The new WhatsApp scam

For a few months now, scammers have been shelving this method to move to a new one that uses less technical and more “communicative” methods.

According to the statements of Rahul Sasi, Founder and CEO of CloudSEk, a cybersecurity company, criminals exploit common codes that anyone can enable on the phone to forward calls and text messages, in case of a busy line, with the aim of taking control of the app profile from the victims, without them noticing it. A hacker or their accomplice calls the victim, thus occupying the line and prompting their interlocutor to type the characters **67* and *405* followed by a 10-digit number. A trick that is valid only when the main number, with which you have registered on WhatsApp, is engaged in a phone call, such as the one in progress with the perpetrator of the fraud.
Tweets by Rahul Sasi

At that point, the hacker carries out a new WhatsApp account registration process with the victim’s number. The confirmation code will arrive on the SIM entered after the codes, so as to finalise the operation of stealing the profile. The hacker can complete the procedure, disconnect the victim’s account and start using it themselves. According to the researcher, the aim of the criminals is to ask for money from the victim’s contacts, pretending to be one of their friends or relatives.

The protections

According to experts, the best protection for this type of scam is the enabling of two-step verification. Simply enter the app, press the button at the top right with the three dots and open Settings, then Account and from there, select Two-Step Verification. At this point, you have to choose a 6-digit pin, register a valid email address and then Activate. This is certainly a way to always have a lifeline.

Above all, however, it is important never to be caught unprepared.
As with all IT scams, what is being targeted is human behaviour, because it is always the weakest link, the crack through which crime slips. This is where our defences need to be strengthened.
We must build, essentially, an immune system that guards against all the many pitfalls of technology. Especially when we are dealing with sensitive data and business information.

This requires continuous and up-to-date training that can put us in a position to face the dangers that also lie behind the tools we use on a daily basis and transform us into real cyber scam bloodhounds.









Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more