The National Directorate of Cyber Security (DNSC) warns of a new smishing fraud attempt (phishing via phone messages), whereby attackers aim to compromise accounts on messaging platforms such as WhatsApp, then use these accounts to propagate attempts of online fraud.
DNSC has been notified by several users of a new wave of fraud attempts aimed at compromising accounts on certain instant messaging platforms, such as WhatsApp. The compromised accounts are later used to propagate other frauds of a financial nature’, the representatives of the Directorate noted on Facebook on Wednesday.
According to DNSC, the message sent by the attackers uses the following text: ‘Hello! Please vote for Adeline in this poll, she is my friend’s daughter from Bucharest, the main prize is a scholarship for free education in France, this is very important to her. Thank you very much!’, as well as a link to a phishing site, which usually contains the words ‘vote’ and ‘dance’, and at the end the extension ‘.top/home’.
Thus, after the web page is accessed by the persons in question, they notice two girls, one of them being ‘Adeline’ and a vote button, and the moment the person clicks on this button a pop-up window opens (which suddenly appears over the content, used for notifications, messages or forms) asking to ‘login to WhatsApp to be able to vote’. At this point, the user is prompted for the phone number.
After this stage, on the WhatsApp application, located on the victim’s phone, a code is received for associating a device, which the victim enters in the pop-up window, at which point he remains under the impression that he has ‘voted’. In reality, the user gave the attackers access to his WhatsApp account. Later, it will find that unauthorized messages have been sent to the entire contact book and that the account is also in the possession of the attackers.
It was also found that the WhatsApp account was suspended, as a result of spam actions or after close people informed the victims.
“We specify that, after pairing the devices, the messages sent were of two types: either they replicated the initial message, thus the attackers trying to compromise other WhatsApp accounts with the same method, or they were urgent, messages requesting money, usually the amount of 1,800 lei. The message requesting money contains the text ‘Hello, can you lend me 1,800 RON? I need it on my card or Revolut, I’ll give it back to you tomorrow’, after which a username corresponding to the Revolut service is made available, stating the urgency with the message ‘There is another name because they blocked my account, but I need it urgently to make a payment on this account. Thank you very much!’ If the victim sends money, the attackers persist and come back with a message requesting an additional amount of money, i.e. 2,000 RON, the trap message being the following: ‘I’m sorry to bother you again, you couldn’t transfer another 2000 there? I miscalculated a bit, I will return it all to you tomorrow,” explains DNSC.
The representatives of the Directorate warn that accessing the fake website sent by the attackers and providing the authentication code can compromise the account of the ‘attacked’ person, which endangers the contact list with which the account is associated.
Account hijacking by attackers can lead to its blocking due to spam. If you comply with the attackers’ requests and make the transfer, you may suffer financial damage without the possibility of recovering the funds’, they draw attention.
In this context, DNSC recommends: Think logically, read carefully when you receive a message and do not act hastily; Do not click on links in text messages from unknown sources: Do not call received phone numbers or respond to such suspicious messages; Never provide sensitive information via SMS; Be wary of text messages asking you to take immediate action or make urgent payments; Check device pairing and delete all paired devices; Enable two-step authentication (2FA) to add another layer of security to your account and prevent them from being linked in the future.
To remedy the situation, if there is still access to the account, the Settings section should be accessed, then ‘˜Linked Accounts’ should be selected and the unknown devices removed from the list. Then two-step authentication (2FA) is activated.
If you no longer have access to your account, you will need to contact the Help Center to take the necessary steps to recover your account. The DNSC team has also made available to the general public a guide dedicated to securing and recovering the main social media accounts, which you can access and download from the dnsc.ro website: https://www.dnsc.ro/pagini/ghid- social networks
Contact your bank immediately if you have provided card or login details to your account, or if you have made a payment to the attackers. Notify the person whose identity is being used in various ways to help resolve the confusion caused by the fraud as quickly as possible. As soon as you regain access to your account, send a message to the people who received spam from the attackers on your account to avoid falling into the same trap. Help spread awareness in this case! The more users are informed about this attack scenario, the smaller the number of potential victims will be. Report the incident to the DNSC (via the PNRISC platform or by calling 1911) and to the Romanian Police (petitiții@politiaromana.ro) if you have suffered financial damage. Train yourself to avoid the main threats from the online environment on the website of the national awareness project sifareniaonline.ro’, DNSC advises.
Source: www.cotidianul.ro
