Kaspersky has uncovered a new phishing campaign targeting WhatsApp users through a fraudulent voting scheme. This attack lures victims with a voting page allegedly featuring young athletes, but other voting topics are being exploited as well. The method can be easily tuned for different scenarios, and the ultimate goal of the attackers is to hijack WhatsApp accounts.
The scam begins with users being directed to a seemingly legitimate webpage claiming to host a voting contest. For instance, the page can feature photos of athletes, each accompanied by a “Vote” button and real-time counters displaying alleged vote totals and the number of users who have participated. These elements create a false sense of authenticity, encouraging user engagement. The page also claims that anyone can participate in the contest after “authorization”, with winners getting prizes from “sponsors”.
Upon clicking either “Vote” or “Authorize” buttons, users are redirected to a fraudulent webpage that encourages users to “quickly and simply” authorize via WhatsApp. Users are prompted to enter their WhatsApp-associated mobile phone number. Attackers then use the WhatsApp feature to login into the messenger’s web interface via a one-time code: they input the victim’s phone number to login to WhatsApp Web and the system gives out a 6-digit code which the scam website then mirrors. When the user inputs this code in the app on their smartphone, the web session that the attackers initiated goes live, allowing them to spy on the victim, write messages and eventually take over the account.
A verification code from WhatsApp mirrored by the attackers
“We see that online contests that include voting are very popular now, and this is used by attackers who exploit trust in this seemingly harmless activity. By combining social engineering with convincing fake interfaces, attackers are weaponizing user engagement to steal sensitive data. Awareness and vigilance are critical to staying safe,” comments Tatyana Shcherbakova, Web Content Analyst at Kaspersky.
To be protected from such hijacking scams, Kaspersky recommends:
- Enable two-step verification: Activate WhatsApp’s two-step verification feature to add an extra layer of security, requiring a PIN for account access.
- Verify website authenticity: Avoid entering personal information on unfamiliar websites, especially those reached via unsolicited links. Always check the URL for legitimacy.
- Never share verification codes: WhatsApp will never ask for your verification code. Do not share it with anyone, or accept it from anyone, even if prompted by a seemingly trusted source.
- Use trusted and proven security software to detect and block malicious websites and links.