|Image credits: http://blog.mawalabs.de/whatsapp-phishing/|
Whatsapp is one of the top cross-platform messaging app, available for most of the devices like smartphones and tablets. It has changed the way of text messaging forever, handling over 60 billion messages per day according to recent estimates.
WhatsApp and Security.
Since the time of launch, WhatsApp has been infamous for its security, where many vulnerabilities and bugs were reported. It was also noted that they employed weak encryption to handle messages. But those were in the past, now they have come up with advanced safety measures, like the recently announced 'End To End Encryption'. According to this new feature, very WhatsApp message will be encrypted, and only the sender and receiver will be able to read the content. Middle men like the governmet, spying agencies or even the owners of WhatsApp (Mark Zuckerberg, obviously) cannot read the messages sent. WhatsApp even has an option to verify if two connections are properly encrypted.
So Is WhatsApp Secure?
Answer is no. Nothing is 100% secure technically but considering the steps WhatsApp is taking to ensure privacy and security, one must say it is pretty much secure. However then comes the human part-scams, social engineering, Phishing Attacks etc which makes all the security measures ineffective. Few months ago, WhatsApp has introduced their much awaited web interface by which WhatsApp could be used in PC. this put an end to so much scams and spam campaigns, tricking users offering a PC version of WhatsApp.
Hack WhatsApp Through Phishing Attack.
A new phishing attack vector has been developed,targetting the WhatsApp web users, which helps anyone to hack WhatsApp through phishing attack. WhatsApp web helps to replicate the mobile app in PC, in browser and it basically works like this. Open the webcliet in a browser, scan the QR code generated with the WhatsApp from phone/device. This syncs the mobile whatsap with PC, all the chats, groups, calls, and everything gets available. WhatsApp phishing script pretty much automates the process of impersonating someone in no time.
How WhatsApp Phishing Works.
The WhatsApp Phishing program uses node.js and socket.io for the website and selenium, a tool for scripting browsers, to communicate with the Whatsapp web client. The program starts a http and a socket.io server. If a new client connects to socket.io, the application will make a request to a selenium instance to start a new browser and connect to web.whatsapp.com.
This program will do the following.
- Extract the QR code from the WhatsApp Web and post to attacker contolled phishing site.
- Lure the visitors to scan the QR code from WhatsApp on their phone, offering something attractive in return.
- After the scanning & authentication is done, the attackers get complete access to the user’s WhatsApp.
- This gives the attackers full controll of the WhatsApp data, which includes chat records, groups, contact lists, send message as the user to anyone and virtually anything that the real WhatsApp user can do.
Installing and setting up WhatsApp Phisher.
WhatsApp Phishing program requires Selenium Standalone server and firefox browser. Make sure both are installed first.
For the complete procedure goto the github page of the auther here.
Below is a live demo of the attack.
Users sould be aware that encryption alone is not going to ensure security of WhatsApp. It is the scam & phishing campaigns like this the users should worry about more. Poor encryption may leave the messages open to be read by third party but attacks like this gives full control of someone's WhatsApp account to hackers. This is more serious and an attacker can do maximum damage by these simple social engineering tricks. WhatsApp should come up with advanced protection against these types of phishing scams also.