Using WhatsApp to Spread Scams and Fake News

Posted by & filed under Security Alerts.

In a disturbing revelation, Check Point researchers have discovered a vulnerability in WhatsApp that allows a threat actor to intercept and manipulate messages sent by those in a group or private conversation. By doing so, attackers can put themselves in a position of immense power to not only steer potential evidence in their favor, but also create and spread misinformation.

 

The vulnerability so far allows for three possible attacks:

  1. Changing a reply from someone to put words into their mouth that they did not say.

  2. Quoting a message in a reply to a group conversation to make it appear as if it came from a person who is not even part of the group.

  3. Sending a message to a member of a group that pretends to be a group message but is in fact only sent to this member. However, the member’s response will be sent to the entire group.

From the visual below we can see how these attacks could play out for real:

 

Oded Vanunu, Check Point’s Head of Product Vulnerability Research had this to say on the recent findings: “Given WhatsApp’s prevalence among consumers, businesses, and government agencies, it’s no surprise that hackers see the application as a five-star opportunity for potential scams. As one of the main communication channels available today, WhatsApp is used for sensitive conversations ranging from confidential corporate and government information, to criminal intelligence that could be used in a court of law.”

Following the process of Responsible Disclosure, Oded’s team informed WhatsApp of their findings. From Check Point Research’s view, we believe these vulnerabilities to be of utmost importance and require attention.

Watch the demo video and read about the technical details in our research report here.

 

WhatsApp with the Fake News?

Due to its very nature of being an easy and quick way to communicate, WhatsApp has already been at the center of a variety of scams. From fake supermarket and airline giveaways to election tampering, threat actors never tire of ways to manipulate unsuspecting users.

In fact, the ability to social engineer on a mass scale was already seen at a level where even people’s lives were at stake. In Brazil, rumours quickly spread on WhatsApp about the dangers of receiving a yellow fever vaccine – the very thing that could have stopped an epidemic of the deadly virus during its 2016 rampage that infected 1500 people and killed almost 500.

More recently, earlier this week vicious rumours, also spread via WhatsApp, led to a spate of lynching and murders of innocent victims in India.

WhatsApp is also taking an increasingly central role in elections, especially in developing countries. Earlier this year, again in India, WhatsApp was used to send messages, some of which were completely false.

Ultimately, social engineering is all about tricking the user and manipulating them to carry out actions they will later regret. With an ability to manipulate replies, invent quotes or send private messages pretending to be group ones, as seen in this research, scammers would have a far greater chance of success and have yet another weapon in their arsenal.

What’s more, the larger the WhatsApp group, where a flurry of messages are often sent, the less likely a member would have the time or inclination to double check every message to verify its authenticity, and could easily be taken in by the information they see. As already seen by spam emails that fake the sender’s name to appear to be from a source the receiver trusts, this latest vulnerability would allow for similar methods to be used though from a totally different attack vector.

How to Protect Yourself from Misinformation

While there are no security products that can yet protect users from these types of deceptions, there are several ideas to keep in mind to avoid being a victim of fake news, conspiracy theories and online scams in general.

If something sounds too good to be true, it usually is. And likewise, if something sounds too ridiculous to be true, it probably is.

Misinformation spreads faster than the truth. Although you may be seeing the same news from multiple sources, this does not make it more factual than were it to come from a single source.

Check your ‘facts’. It is recommended to cross check what you see on social media with a quick online search to see what others may be saying about the same story. Or even better, do not get more of your news from social media websites at all.

 

The information contained in this website is for general information purposes only. The information is gathered from Checkpoint while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.