A new scam in WhatsApp uses data from people who have made sales or advertisements on the Internet to steal their messaging accounts. To clone the app, thieves use the phone number available on the advertiser platforms and impersonate representatives of the sales websites themselves. According to security firm Kaspersky Labs, fake messages have already been identified as passing through the OLX, Webmotors and Zap Imveis platforms.
Zap Imveis stated, in a note to TechTudo, that he is aware of the scams applied with the company name, and that he gives clients complete information so that they are not victims (see full note at the end of the story). Because fraud does not use any malicious program to steal data, security depends heavily on the user's own attention. Then understand how the new scam works and how to protect yourself.
WhatsApp Security Failure: Questions and Answers to Understand the Case
Messages sent by criminals to try to steal user authentication code Photo: Playback / Kaspersky Lab
Scammers contact the victim through the telephone number available on the sales sites. In the message, the criminals state that there are complaints regarding the customer's contact at the sales announcement and ask him to confirm his number by providing the code sent by SMS.
At the same time as sending these messages, scammers try to activate WhatsApp on a new device with the person number. Therefore, the code sent by SMS refers to an authentication of the new device sent by WhatsApp itself has nothing to do with the buy and sell site. When a person provides the information that arrives on their device, criminals are able to clone the messenger account.
In the second part of the scam, fraudsters send messages to the person's most recent contacts, usually family members or close friends, and borrow for an urgent expense. There is no standard in the values requested, but if the contact makes himself available to give the money, the criminals always pass an orange bank account to the deposits.
Enabling 2-step authentication can increase security for users. Photo: Playback / Felipe Vinha
For Kaspersky Lab's senior security analyst in Brazil Fabio Assolini, the best way to protect yourself from this scam is to activate WhatsApp's dual authentication. With 2-step verification, in addition to using the number provided by SMS, it is possible to create a kind of "password" to install the app. "This is a password that the user creates and is requested from time to time by the application. Even if the victim enters the activation code, the perpetrator will have to request the password for the double authentication. This already leaves the context of the ad and the person may notice fraud before it is too late, he explains.
To TechTudo, OLX has clarified that although it has not had access to details of this case, it can guarantee that there is no similar procedure in its relationship with site advertisers: "the request for verification codes / security codes, registration and personal data It is not a practice adopted by OLX under any circumstances, "the company emphasized through a spokesperson.
The company has also released safety tips for product trading via OLX:
- Never share the validation and security codes that arrive on your mobile phone;
- OLX does not require security code validation to use platform chat;
- OLX will never ask you to access your account via chat, phone, SMS, WhatsApp and social networks;
- Remember that OLX also provides a report button on all your ads and contacts in the chat, allowing anyone to report any irregular practices or improper content.
Last week WhatsApp implemented an alert on SMS messages with authentication code to prevent such scams. Right after the sequence of six numbers, the text was inserted in the message: "do not share this code". The alert serves precisely to differentiate the number sent from other codes and to draw the user's attention to the security of that information. For now, the change in messaging has been implemented for Android users only, but should soon arrive on the iPhone (iOS).
For those who already had the account stolen, the guidance will notify friends and family as soon as possible and try to recover the number by requesting a new SMS verification. For this, the user must login to WhatsApp, and confirm the six-digit code that arrives via SMS. Thus, anyone else using the account will be automatically logged out.
"As is well known and widely reported in the press, a number of companies and individuals have recently been the target of a new scam mode: criminals use public information to gain access to WhatsApp user accounts.
In this context, the ZAP Group clarifies that it has been monitoring cases from the outset and is acting responsibly to combat this illegal practice. We are always very close to our customers and keep a close communication across all our customer service channels in order to clarify the facts and provide the necessary tools so that they do not become victims."
Want to buy discounted games, phones and PCs? Meet the Compare TechTudo
WhatsApp: Five Tips for Using the App Safely