You use WhatsApp Web on free Wi-Fi networks — malls or public — and don't worry too much about the login process? There is something to worry about, believe me: the theft of WhatsApp. Known as QRLJacking, it targets any application that uses a QR Code as a form of login. Especially WhatsApp. Once "hijacked", the attacker has access to everything: contacts, photos and WhatsApp chats, as if he were you.
- How not to fall for the WhatsApp scam that targets users of OLX
- How the WhatsApp loan scam works [line cloning]
Who has used WhatsApp on the computer, you know that the process is simple: just access the “WhatsApp Web” option and scan a QR Code (or Quick Response Code) on the page that gives access to the web messenger (web.whatsapp.com) and that's it; logged in.
ESET Researcher, Daniel Barbosa, says that it is possible to carry out additional validations so that the QR code can be used more securely. Most of the time, however, manufacturers opt for new features, but leave security aside.
How QRLJacking happens
QR code hijacking is made possible because it is relatively easy to take advantage of this facility (which is not a flaw, but a legitimate feature app) to convince victims to scan the wrong QR Code. In most cases, it's a bad copy that doesn't look anything like the right WhatsApp Web page.
What is worrying is that the tool created to generate the fake QR Code can be adapted to the needs of each attacker. The platform opens a standard page as an example only, but the source code is available for modification, and accepts HTML codes, scripts and many other resources for web development.
“Imagine that the attacker takes the time to put together something more convincing, such as an advertising banner, which offers a year of some completely free service, and that this advertisement appears when the victim browses various websites, Sounds a lot more convincing, doesn't it?” he asks. The attacker convinces the user that this is the correct page. Hacking the network, using banners, manipulating the default search engine, etc.
How WhatsApp uses QR Code
The QR Code is an image. This image, after being interpreted by the QR Code reader, generates a set of codes. In the case of WhatsApp, the application uses the code to validate users' access to their Web/Desktop system, without further validation.
How WhatsApp theft occurs
Criminals have developed tools that capture and store the image of the QR code generated by WhatsApp, and create a new QR Code to be displayed to the victim .
“With the naked eye it is not possible to distinguish the original code from the code forged by the attackers. After that, the victim's session is stored on the criminal's computer and he can use it as he sees fit, without causing any interruption in the use of the application on the victim's smartphone”, he explains.
How to take down unauthorized access on WhatsApp Web
Just have one safe behavior and stay alert. In a hurry, even trained users can fall for social engineering scams. It happens to everyone.
- How to avoid being scammed on WhatsApp
1. Know the application you are using
In the case of WhatsApp and other messengers, the QR code is only used to access WhatsApp Web. If any banner asking for a QR code to be scanned for some benefit to be given, don't believe it. Also know details of the look, colors, exact URL and what the real login page looks like, so you don't get fooled.
2. Avoid public or untrustworthy networks
Attacks like these happen when the criminal is on the same network as the victims. Avoid features that require login or handle personal data on an insecure network.
3. Watch your browsing
Even on networks that we believe to be secure, such as in the workplace, there can be risks. Stay alert and watch the pages you are accessing.
4. QRLJacking and Logout Signals
Attacks of this type, in which a fake QR Code is used, do not usually offer any type of return to the user. That is, if you scan a code and nothing happens (not even what was promised) it is probably an attack. Run on the main screen of the WhatsApp application, go to WhatsApp Web and end all sessions that were started on computers. This will cause criminals to lose access.
5. Keep everything up to date
The cautious is dead. Using an Android antivirus on your phone and computer can help block threats, malicious fake QR Code URLs and erratic behavior in the operating system. Also update all software and applications constantly, this fixes any security problems.
With information: WeLiveSecurity