wordpress blog stats
Connect with us

Hi, what are you looking for?

WhatsApp users beware: 3 from Hyderabad have fallen prey to this simple hack in a week

Simple yet malicious, this WhatsApp hack might be recently reported but the modus operandi is not entirely new and there still may be a way to prevent such attacks altogether. 

At least three people from Hyderabad over the past week have been a victim of a form of social engineering hack where malicious actors get unauthorised access to a person’s WhatsApp account.

Hyderabad Cyber Crime Police Station station house officer KVM Prasad described this attack while talking to a local Telugu news channel V6. This is how it works —

  • The malicious actor signs up on WhatsApp using the victim’s number and then calls them to convince them to give the OTP.
  • Once the OTP is given, the actor logs in to the person’s account and enables two-factor authentication. This locks out the owner of the account
  • If there are chat backups, the hacker will now have access to it
  • The malicious actor then identifies people with whom the person has had the most number of conversations and sends them a malware link
  • By clicking on the link, that person’s phone gets infected
  • The actor also sends messages to the person’s friends asking for money. The recipients fall for it thinking that their friend is messaging them.

Advertisement. Scroll to continue reading.

“In the last few days alone we have received three cases. Even if its from your friend, don’t click on unknown links on WhatsApp,” Prasad told NTV. We have reached out to Prasad with our queries and will update the post when we receive a response.

Unlike nation-state cyberattacks or attacks exploiting a platform’s vulnerability, social engineering attacks have to do with our susceptibility to such scams and our complacency when it comes to securing our devices.

Similar attacks were recorded earlier

This type of attack where the actor hijacks one’s WhatsApp account is not new. Cybersecurity researchers have earlier recorded similar social engineering attacks where the actor gets access to the OTP of a WhatsApp account and gets access to it. Going by the account of the Hyderabad city police, the only bit that is new would be the manner in which the hacker has gotten access to the OTP.

For instance, a researcher at Cygenta, a UK-based cybersecurity company, was targetted by a similar attack last year. Madeline Howard, the researcher in a blogpost said, “When you download and install WhatsApp on a new device, WhatsApp will then send the mobile number you have entered a 6-digit verification code. This code verifies that you possess the mobile number and device. Once the 6-digit code has been entered that device will then receive WhatsApp messages for that account.”

This is how it works next, according to Howard —

  • In order for this attack to work, the attacker will have already compromised an individual’s WhatsApp account (they could have done this via Facebook, not necessarily WhatsApp itself).
  • “In this case, the account they had compromised belonged to an old friend,” she said. The attacker then sends a message to the friends of the initial victim stating they have accidentally sent the code to them, or they’re having issues receiving the code.
  • “Here you can see that the attacker states they ‘sent’ me the code by mistake. I did receive the 6-digit code via SMS from WhatsApp, making the whole attack seem more plausible. If I had then sent back 6-digit code, the attackers would have successfully compromised my WhatsApp account, too,” she added.

How do you prevent such attacks?

According to WhatsApp, one can set up a two-step verification process which is “an optional feature that adds more security to your WhatsApp account. You’ll see the two-step verification screen after you successfully register your phone number on WhatsApp.”

Advertisement. Scroll to continue reading.

In this two-step verification, one can enter their email address which will allow WhatsApp to email a reset link in case a person has forgotten their PIN number.

“To help you remember your PIN, WhatsApp will prompt you to periodically enter your PIN. Unfortunately, there isn’t an option to disable this without disabling the two-step verification feature,” The FAQ section of WhatsApp said.

Also read

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ