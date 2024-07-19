A 52-year-old woman is about to board a plane from the US to Spain. In the waiting room, she is busy dealing with work matters in several simultaneous WhatsApp chats. Suddenly, her husband, standing next to her, hears her say: “This is the one who has messed me up here with WhatsApp. I am going to tell her off, she has left me hanging. A friend asked me to send her a code to verify and now WhatsApp is not working and I have to keep working,” she said, as she recalls.

The message was not, of course, from the friend, but from an usurper who had stolen her WhatsApp account. Even before boarding the plane, several friends wrote to the husband: “Hey, your wife has written to me and is asking for money, but she can’t talk,” he says. During the flight, the scammer wrote to dozens of the victims’ friends and colleagues with different requests for money: “Some confirmed that they had already sent the money,” recalls the husband. They have calculated that the stolen money could have been around a thousand euros from three people who fell for it. The scammers asked for 2,500 euros from some friends, but from most it was a few hundred. EL PAÍS has seen screenshots and details of the case, but is not giving the victims’ personal details because they have asked for it so as not to add more problems to their situation.

The surprise in this matter, and what made some friends go to social networks to report it, was that the usurper seemed to speak like the victim: “Hi babe, are you very busy?” he wrote to one. “Honey, I need to make a payment,” to another. “It’s incredible because they used their words. I have no idea how they do it, but they do it perfectly,” a friend who received the messages explains to this newspaper. “It seems like an AI, it seems like a person,” she adds. It is probably a person.

Cyberattacks of all kinds have skyrocketed in recent years. Their growth and complexity is such that it has overwhelmed police officers. The variants continue to grow and it is sometimes difficult to understand what is happening and how it can happen. This case serves to unravel, with the help of experts, what could have happened in a scenario like this and what can be done to avoid it or at least minimize the impact.

The most fascinating part of the attack is the use of keywords in the new messages. Is it possible that the attackers automate the messages with a ChatGPT to speed up the messages and try to scam more money? It is possible, but unlikely, believes Martín Vigo, founder of Triskel Security and host of the Tierra de hackers podcast. “I see it as a bit complicated to automate it. You would have to automate it externally because you cannot automate a app. And on desktop WhatsApp, you would have to use something external, something that moves the mouse, but it’s not like you can just go and do it with a Python program,” explains Vigo.

‘What’s up, crack?’

So how do they do it? By hand, with copy and paste, Vigo believes. “Even if you spend 10 seconds more, you make it more efficient by looking at the previous message,” he says, and details the process: “I already control WhatsApp. I’m going to start sending payment links to people. I look at the three or four previous messages and immediately see the typical greeting you get when you start a message. ‘Hey, man, what’s up, crack? How are you?’ And I just put that and that’s it. copy paste the rest from the notebook.” “I don’t think it’s automated, especially because there’s that difficulty in automating it because it’s a closed app. It’s not a Python program,” he adds.

How to avoid this? “You have to have a code word or ask something that only that person can know: where did we go on holiday last year?, for example,” says Carlos Solano, head of the Ardiciber consultancy, which specialises in cyber-scam victims. Other quick options, like they did in this case, are to ask for an audio recording or write to someone you know is with the victim, in this case the husband.

This only explains one part of the scam: the attempt to steal the money. But first the usurper must have accessed the WhatsApp of the victim’s friend, a process that can be automated. “This is what people do,” he said. ransomwarehas automated the entire part of penetrating the perimeter. Emails from phishing “Automated, automated port scanning, automated vulnerability identification. When they come in, a guy sits at the keyboard and starts doing things because automating absolutely everything is difficult,” says Vigo.

How can a WhatsApp account be stolen? There are a lot of ways. Unlike a normal social network, where you have a username or email as an identifier and a password, in WhatsApp the identifier is the number and you can register with a six-digit code that that number gives you. So once you know the victim’s number, you just have to get the code.

In this case, the interesting thing is that the attacker accessed a number and, instead of burning it by immediately asking for money from the contacts, used it to move horizontally and access other numbers. With her name and number, she asked her friends for the six-digit code, which they gave her without thinking twice. In this way, the criminals could multiply their chances of reaching more suitable victims. It is even possible that she observed the activity and, seeing that the victim was planning a long flight, decided that it was the right time to attack.

In 2018, Vigo came up with a way to hack voicemail to obtain the code that WhatsApp sent by call instead of SMS. In Brazil, it was used hundreds of times to access phones, even those of politicians. Another way to automate it is with social engineering, with a message like: “Sorry, I made a mistake and the code came to you, can you send it to me?” “This is automated if you have a list of numbers, you automatically register WhatsApp and after 20 seconds you send that message. If they answer with the code, that’s it. You can do it with a thousand phones and it doesn’t cost much money,” Vigo says.

A variation of this social engineering method is to use the company that owns WhatsApp, Meta: “There is a type of attack where they tell you ‘We are from Meta’s cybersecurity department, we are sending you a six-digit code to reactivate your WhatsApp,” Solano explains.

Other more complex methods, but more feasible if the victim is known, are through a web page with a form. When you register, you are asked for double authentication and an SMS is required. That SMS, instead of coming from that fake web page, is the one from Meta to register your number on WhatsApp. When you enter it on the page, you are giving it to the thieves. It can also be done through the web version of WhatsApp if it is left open in a public place: “I am going to have a drink with you, I see the pin of your number, you go to the bathroom and in a minute I enter your WhatsApp. On my own mobile phone I go to the web, I get a QR code, I scan it with your phone and I have access to your WhatsApp with all your conversations. That is the most interesting thing, because I can see what you write, write for you, whatever I want,” explains Vigo.

