Skip to content
CybersecurityExplore Symphony's Tech Universe

Unmasked WhatsApp Fraud Exposes Pathway for Comprehensive Control Over Your WhatsApp Conversations

Unmasked WhatsApp swindle exploits device linking via phony Facebook sign-ins, distributed through 'Lo and behold, I discovered your picture!' messages, aiming to pilfer user accounts.

 and  Administrator
2 min read
WhatsApp Users Warned of New Scam Granting Full Control Over Private Chats
WhatsApp Users Warned of New Scam Granting Full Control Over Private Chats

Unmasked WhatsApp Fraud Exposes Pathway for Comprehensive Control Over Your WhatsApp Conversations

A new scam targeting WhatsApp users has been identified by Gen Threat Labs, taking advantage of the device linking feature to seize control of user accounts. The scam, often disguised as a harmless message from a known contact, unfolds when recipients click on a shortened URL.

Upon clicking the URL, victims are redirected to a counterfeit Facebook login portal designed to harvest their credentials. The threat actors employ ephemeral subdomains, rotating nearly hourly, to frustrate takedown efforts and to avoid IP-based blacklisting.

Once login details are submitted on the spoofed page, a server-side component spins up a headless WhatsApp Web session using Puppeteer automation. This headless session generates a valid QR code that is forwarded to the attacker's console, linking the victim's mobile account to the attacker's instance without user notification.

With control established, malicious actors can view and export conversation histories, media files, and contact lists from victim's accounts. The malware generated by the scam chains into WhatsApp's desktop and web sessions using compromised account's session tokens.

In reality, this extension runs in the background, refreshing stolen session tokens and occasionally prompting users to reauthenticate, maintaining continuous access. To maximize stealth, the attackers throttle the automation scripts to mimic human-like browsing patterns, complete with randomized mouse movements and typing delays.

Should users attempt to revoke permissions on Facebook, the malicious script intercepts the revocation flow and prompts a misleading error message, further trapping victims in a loop. Financial fraud, identity theft, and further targeted attacks are potential downstream consequences of the scam.

The infection mechanism hinges on a credential phishing strategy augmented by session token reuse. The scam's backend infrastructure uses stealthy server clusters to relay session tokens, evading detection by conventional network monitoring tools.

At the moment, the search results do not provide information about which group or person is behind the spread of the new WhatsApp "freeloader" campaign. Users are advised to exercise caution when clicking on links received from unknown sources and to verify the authenticity of any requests for account information.

Read also:

Related

Latest