How to secure WhatsApp as user fraud increases

by James · November 29, 2022

Users of a popular messaging platform are complaining about an increase in spam texts after a leak of over 487 million WhatsApp user records.

“Someone definitely bought records from the US and now they’re messaging friends and family asking for money – I didn’t click any links or share any PINs,” complained one Twitter user.

They refer to a recent post on a well-known dark web forum where a threat actor is selling the phone numbers of nearly 500 million WhatsApp users.

The threat actor told Cybernews that the US user database with over 32 million records costs $7,000.

While we don’t know the origin of the data set and have yet to hear from WhatsApp and its owner Meta, we know for sure that users with their numbers out in the public domain are at risk.

Threat actors can bombard them with spam messages, spoof popular brands like DHL or Amazon that are often exploited during the holiday season, attempt to lure victims into cryptocurrency scams, or even attempt account takeovers.

Table of Contents

Abundance of spam messages

Users report an increase in spam campaigns, where threat actors fake invoices. “This explains the calls saying an iPhone has been charged to my Amazon account,” one tweet reader.

Low-tech scams are popular during the shopping season. Since there is no malicious link involved, it gets through defenses easily. Scammers either call you themselves or get you to call them to, for example, cancel a purchase you haven’t made.

When a victim calls the number, cybercriminals try to extract as much personal information as possible that is supposedly needed to cancel the order.

Users also report unwanted personal messages from scammers pretending to be other doctors from the US, when the phone number they are texting from shows they are in Nigeria.

Such personal messages are nothing but harmless. Scammers look for their victims on dating apps and social media platforms or send random texts masquerading as wrong numbers.

They pretend to be looking for friends, and only after gaining the victims’ trust, they make a seemingly innocent proposal to make money by investing in cryptocurrency. Recently, US law enforcement authorized the seizure of seven domains used in a hog slaughter scam in which five victims lost $10 million.

There have also been attempts at account takeover. One Twitter user received a notification from WhatsApp that someone is trying to register the account with a new device.

“It happens easily two to three times a week and has been like that since September,” they complained. These messages had flooded users even before the ad was posted on the dark web. With a massive dataset for sale, this is likely to intensify. Fortunately, this WhatsApp user has two-factor authentication (2FA) enabled, which makes it more difficult for attackers to penetrate the account.

Threat actors also impersonate well-known brands and famous figures to trick victims. For example, Binance CEO Changpeng Zhao’s followers reported receiving random messages from someone impersonating him.

Most likely, attackers pretending to be Zhao will try to lure victims into some kind of cryptocurrency scam.

While there’s no way to tell if someone has purchased the data set that’s causing the spike in fraud attempts, the examples above illustrate just how dangerous it is to have your phone number out in the open.

How can I protect myself?

A private phone number belonging to an individual, unlike the contacts of government agencies and companies, is considered to be personally identifiable information (PII).

Therefore, companies have a duty to protect the information you share with them. Due to some security flaws or simple scraping that some companies turn a blind eye to, your data, such as your email address or phone number, may be leaked. There are a few things you can do to ensure that your exposed information does not benefit threat actors:

Do not answer calls and texts from unknown members. Block anyone who raises suspicion.

Activate 2FA as soon as possible – go to WhatsApp Settings-Account and turn on the function.

Check that your profile information is not publicly visible. Go to Settings-Privacy and choose who can see your profile picture, “about” information and other account details. Make sure you only share these with a small group of people.

Don’t fall for scam support messages. We have noticed scammers offering their “help” by redirecting WhatsApp users to experts who can supposedly help recover the hacked account. The only way to recover a hacked account is by contacting official support.